Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bulder.exe

windows7-x64

10

bulder.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2024, 19:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bulder.exe

  • Size

    228KB

  • MD5

    d8de90f21ece872c78887d8532bc4724

  • SHA1

    8abf63837160fe18efb7629ed630402cf9bcb361

  • SHA256

    11e06b3c4301175f96442f0295d9dfade52bf2e9712d2a84da3c54d4d4dd47b9

  • SHA512

    1c02c2560f8a198b0cea474a0b90ef9b5050a3ccbb242ed1600ddf149bb4166a85d69a66622b07884f4ad59e3da447b74e1682f9376ea8d1a54ae48c2776bc49

  • SSDEEP

    6144:xloZM+rIkd8g+EtXHkv/iD4F9KUw2xpaAPyAxVkjab8e1mci:DoZtL+EP8F9KUw2xpaAPyAxVkyG

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bulder.exe
    "C:\Users\Admin\AppData\Local\Temp\bulder.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:372

Network

  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gstatic.com
    bulder.exe
    Remote address:
    8.8.8.8:53
    Request
    gstatic.com
    IN A
    Response
    gstatic.com
    IN A
    142.251.36.3
  • flag-nl
    GET
    https://gstatic.com/generate_204
    bulder.exe
    Remote address:
    142.251.36.3:443
    Request
    GET /generate_204 HTTP/1.1
    Host: gstatic.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Sat, 23 Mar 2024 19:49:58 GMT
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.179.17.96.in-addr.arpa
    IN PTR
    Response
    56.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-56deploystaticakamaitechnologiescom
  • flag-us
    DNS
    3.36.251.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.36.251.142.in-addr.arpa
    IN PTR
    Response
    3.36.251.142.in-addr.arpa
    IN PTR
    ams15s44-in-f31e100net
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1A3862260A026BFF1D39766D0BE26A66; domain=.bing.com; expires=Thu, 17-Apr-2025 19:50:01 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0FE3C0CE76324D00BBCF362F0C76E32F Ref B: LON04EDGE1210 Ref C: 2024-03-23T19:50:01Z
    date: Sat, 23 Mar 2024 19:50:00 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1A3862260A026BFF1D39766D0BE26A66
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=fg3ygxzec1cJZGTnYAtjwubmNrr0rzkRKe-Oioh0ou8; domain=.bing.com; expires=Thu, 17-Apr-2025 19:50:02 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E50EEB40F3974664A11BDE44881E50CA Ref B: LON04EDGE1210 Ref C: 2024-03-23T19:50:02Z
    date: Sat, 23 Mar 2024 19:50:01 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1A3862260A026BFF1D39766D0BE26A66; MSPTC=fg3ygxzec1cJZGTnYAtjwubmNrr0rzkRKe-Oioh0ou8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 724B685E4D1F4A8080DB8DF36A312DA2 Ref B: LON04EDGE1210 Ref C: 2024-03-23T19:50:02Z
    date: Sat, 23 Mar 2024 19:50:01 GMT
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    92.123.241.137
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    Remote address:
    92.123.241.137:80
    Request
    GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1126
    Content-Type: application/octet-stream
    Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
    Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
    ETag: 0x8D62594BC0C84D8
    x-ms-request-id: 9327f1ba-601e-004f-4648-1536e4000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    X-EdgeConnect-Origin-MEX-Latency: 108
    X-EdgeConnect-Origin-MEX-Latency: 111
    Date: Sat, 23 Mar 2024 19:50:19 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV17abb31b.0
    ms-cv-esi: CASMicrosoftCV17abb31b.0
    X-RTag: RT
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    Remote address:
    92.123.241.137:80
    Request
    GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1126
    Content-Type: application/octet-stream
    Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
    Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
    ETag: 0x8D62594BC0C84D8
    x-ms-request-id: 9327f1ba-601e-004f-4648-1536e4000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    X-EdgeConnect-Origin-MEX-Latency: 108
    Date: Sat, 23 Mar 2024 19:50:20 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV11dbbe57.0
    ms-cv-esi: CASMicrosoftCV11dbbe57.0
    X-RTag: RT
  • flag-us
    DNS
    137.241.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.241.123.92.in-addr.arpa
    IN PTR
    Response
    137.241.123.92.in-addr.arpa
    IN PTR
    a92-123-241-137deploystaticakamaitechnologiescom
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.71.91.104.in-addr.arpa
    IN PTR
    Response
    140.71.91.104.in-addr.arpa
    IN PTR
    a104-91-71-140deploystaticakamaitechnologiescom
  • 142.251.36.3:443
    https://gstatic.com/generate_204
    tls, http
    bulder.exe
    862 B
     5.1kB
     11
    9

    HTTP Request

    GET https://gstatic.com/generate_204

    HTTP Response

    204
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6211dc2439144708b4bbfa8040fb5d70&localId=w:2EBBC17B-F2BF-CBA4-B0F0-4BC5BF6536CE&deviceId=6755461004769679&anid=

    HTTP Response

    204
  • 92.123.241.137:80
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    http
    418 B
     1.9kB
     5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

    HTTP Response

    200
  • 92.123.241.137:80
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    http
    418 B
     1.8kB
     5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

    HTTP Response

    200
  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    gstatic.com
    dns
    bulder.exe
    57 B
     73 B
     1
    1

    DNS Request

    gstatic.com

    DNS Response

    142.251.36.3

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    56.179.17.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    56.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    3.36.251.142.in-addr.arpa
    dns
    71 B
     109 B
     1
    1

    DNS Request

    3.36.251.142.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    92.123.241.137

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    137.241.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    137.241.123.92.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    140.71.91.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    140.71.91.104.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/372-0-0x000001CB5C9E0000-0x000001CB5CA20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/372-1-0x00007FFFD5B10000-0x00007FFFD65D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/372-2-0x000001CB5CE10000-0x000001CB5CE20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/372-3-0x00007FFFD5B10000-0x00007FFFD65D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/372-4-0x000001CB5CE10000-0x000001CB5CE20000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.