Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/04/2024, 16:52 UTC

General

  • Target

    ClientBetaNew.exe

  • Size

    229KB

  • MD5

    e7fca17393a9f4cb9ccb2f65fc2bb214

  • SHA1

    cef26fa30e3f68d85ab923beecc0cd0dbfa2a720

  • SHA256

    499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978

  • SHA512

    303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a

  • SSDEEP

    6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe
    "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3940

Network

  • flag-us
    DNS
    gstatic.com
    ClientBetaNew.exe
    Remote address:
    8.8.8.8:53
    Request
    gstatic.com
    IN A
    Response
    gstatic.com
    IN A
    142.250.200.35
  • flag-gb
    GET
    https://gstatic.com/generate_204
    ClientBetaNew.exe
    Remote address:
    142.250.200.35:443
    Request
    GET /generate_204 HTTP/1.1
    Host: gstatic.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Mon, 15 Apr 2024 16:52:15 GMT
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    35.200.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.200.250.142.in-addr.arpa
    IN PTR
    Response
    35.200.250.142.in-addr.arpa
    IN PTR
    lhr48s30-in-f31e100net
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 142.250.200.35:443
    https://gstatic.com/generate_204
    tls, http
    ClientBetaNew.exe
    810 B
    5.2kB
    10
    10

    HTTP Request

    GET https://gstatic.com/generate_204

    HTTP Response

    204
  • 8.8.8.8:53
    gstatic.com
    dns
    ClientBetaNew.exe
    57 B
    73 B
    1
    1

    DNS Request

    gstatic.com

    DNS Response

    142.250.200.35

  • 8.8.8.8:53
    35.200.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    35.200.250.142.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    9.173.189.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    9.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1468-0-0x0000024DF5490000-0x0000024DF54D0000-memory.dmp

    Filesize

    256KB

  • memory/1468-1-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmp

    Filesize

    9.9MB

  • memory/1468-2-0x0000024DF7BA0000-0x0000024DF7BB0000-memory.dmp

    Filesize

    64KB

  • memory/1468-4-0x00007FFFC0F50000-0x00007FFFC193C000-memory.dmp

    Filesize

    9.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.