Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15/04/2024, 16:52 UTC
Behavioral task
behavioral1
Sample
ClientBetaNew.exe
Resource
win7-20240319-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ClientBetaNew.exe
Resource
win10-20240404-en
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
ClientBetaNew.exe
Resource
win10v2004-20240412-en
12 signatures
150 seconds
General
-
Target
ClientBetaNew.exe
-
Size
229KB
-
MD5
e7fca17393a9f4cb9ccb2f65fc2bb214
-
SHA1
cef26fa30e3f68d85ab923beecc0cd0dbfa2a720
-
SHA256
499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978
-
SHA512
303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a
-
SSDEEP
6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1468 ClientBetaNew.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe Token: SeIncreaseQuotaPrivilege 3940 wmic.exe Token: SeSecurityPrivilege 3940 wmic.exe Token: SeTakeOwnershipPrivilege 3940 wmic.exe Token: SeLoadDriverPrivilege 3940 wmic.exe Token: SeSystemProfilePrivilege 3940 wmic.exe Token: SeSystemtimePrivilege 3940 wmic.exe Token: SeProfSingleProcessPrivilege 3940 wmic.exe Token: SeIncBasePriorityPrivilege 3940 wmic.exe Token: SeCreatePagefilePrivilege 3940 wmic.exe Token: SeBackupPrivilege 3940 wmic.exe Token: SeRestorePrivilege 3940 wmic.exe Token: SeShutdownPrivilege 3940 wmic.exe Token: SeDebugPrivilege 3940 wmic.exe Token: SeSystemEnvironmentPrivilege 3940 wmic.exe Token: SeRemoteShutdownPrivilege 3940 wmic.exe Token: SeUndockPrivilege 3940 wmic.exe Token: SeManageVolumePrivilege 3940 wmic.exe Token: 33 3940 wmic.exe Token: 34 3940 wmic.exe Token: 35 3940 wmic.exe Token: 36 3940 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe 72 PID 1468 wrote to memory of 3940 1468 ClientBetaNew.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A142.250.200.35
-
Remote address:142.250.200.35:443RequestGET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 15 Apr 2024 16:52:15 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request35.200.250.142.in-addr.arpaIN PTRResponse35.200.250.142.in-addr.arpaIN PTRlhr48s30-in-f31e100net
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.173.189.20.in-addr.arpaIN PTRResponse
-
810 B 5.2kB 10 10
HTTP Request
GET https://gstatic.com/generate_204HTTP Response
204
-
57 B 73 B 1 1
DNS Request
gstatic.com
DNS Response
142.250.200.35
-
73 B 111 B 1 1
DNS Request
35.200.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
9.173.189.20.in-addr.arpa