Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

WindowsFormsApp5.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/08/2024, 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsFormsApp5.exe

  • Size

    8KB

  • MD5

    ef8b399d71141333959e41ec67917581

  • SHA1

    896e70fe19495589eb4fd338f0ca4a09f406f983

  • SHA256

    68be9bbac51892ca8e7f461d1509ae1058ba7b0a435658beebf10423ff5bad01

  • SHA512

    7fa42a455bfa0c7e7fa8c67cbd0f2f3d61b8cf9afe8974e2f7a8381484a76adb3f155d71128599734d9b1b2e4eb494ed33c64f0f8148c1cf964cb57925d2fe16

  • SSDEEP

    192:uJy2O0tL1YLu0pWzkLzLeLo/rrVCsfznxT12a5k:Ey2XtL+LjpWzkLzLeLorrVxfznxc

Score
10/10
umbralcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1279545169913450556/F_7JgLiTKgmmhN5sN7p6WPAM8OYTa9TQPfck7MU2KymIAhgn1OZL-VqUQz_C_syu1_N1

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp5.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\rbxUPDATE.exe
      "C:\Users\Admin\AppData\Local\Temp\rbxUPDATE.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rbxUPDATE.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2548
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:5084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4124
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        8592ba100a78835a6b94d5949e13dfc1

        SHA1

        63e901200ab9a57c7dd4c078d7f75dcd3b357020

        SHA256

        fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

        SHA512

        87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4347f57bcbda12548143742c401d1a7a

        SHA1

        fccab34c2a5c7ab01a1a644719c4c1435d5e9dc3

        SHA256

        c9e5171d7f3bcd90f1b4e2e2b93f8e6fec1c7d510e31e5ebecedc510dd579529

        SHA512

        d0bcd5c52502f75d6eef80b0b84ca717740453288b09aa3764f7721c9fadaadcd7c7aaae68746f87cc04e6d5a3463f3ad4b18232c55da317af369391c040ae66

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c70194033559b329a459097f7ad224c4

        SHA1

        161c58db2511666234096c633f6b276ef4c0cece

        SHA256

        dc4d4bf84f25a1e10053ba79f99870078745105aa6465631484d7e6515ddff69

        SHA512

        7ec19acc6ba129853c6c6d2242dfe724ac9d27410f1954fb3fb3a74c52fd110e24bec5e2a83d145e9b9a4da3142e0af5bab564a2af07ce17b45f3d181683bc47

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        9e99aeefc8e6860a8f8e0d340533b16c

        SHA1

        f6809d9869faa80cd839578fe59ca7a2e3b66c5e

        SHA256

        62618a3bf08f564e4b8cf29cebed3498f668427e09506aa9fe6fdcd66deaaa2c

        SHA512

        a3ab90c67c8b8ff74167e10bc4a46ecf7ab7cce4326de08bf7c48a897217ddd20411929efd53b17d13b5fe329bdbe95edb3c14281ae4341eb1ae68da3ef91ba0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4ada6ada86999644403fceedd1a7f40a

        SHA1

        ca769115eee76274c87f883c2ccca914d9895ff7

        SHA256

        9c475817330a2177a0e5f7fba969af7c99aeddb3f200619cc91810a6a399e007

        SHA512

        1718c30f5fba55ac0d2ea95f0f33283a5f9761e5ddb6f6857f8abaa2b65449eca69937f69a93f86dc73806b17a9ecfad159daa354716c9b2f0d1a19f741b0af9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otqnresp.ymf.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rbxUPDATE.exe
        Filesize

        231KB

        MD5

        ee63a99349bb5cae11c6d9a8cc514394

        SHA1

        8461684b7f0caace91e1c4a623c734fcd02f60e8

        SHA256

        ed195cecc21f7c2527e75ab0609ab3507f46dc7f5fa52e11fadaea41dd199a2b

        SHA512

        dbdbc35181bef651ebf0f89f8d2623fde4a5a903c5d77a909da0d0dda77d99c674e117a64e64aca882ecb796fe8d71bc6e8c7846460e1b5ad7e8de5460070b34

        Download Submit

      • memory/500-18-0x0000017A66F00000-0x0000017A66F22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/500-21-0x0000017A670B0000-0x0000017A67126000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2516-1-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2516-2-0x00000000059F0000-0x0000000005EEE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2516-189-0x00000000734E0000-0x0000000073BCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2516-0-0x00000000734EE000-0x00000000734EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2516-5-0x00000000734E0000-0x0000000073BCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2516-4-0x00000000054C0000-0x00000000054CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2516-184-0x00000000734EE000-0x00000000734EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2516-3-0x0000000005410000-0x00000000054A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2596-92-0x000001536EA00000-0x000001536EA1E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2596-13-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2596-156-0x000001536EA20000-0x000001536EA2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2596-157-0x000001536F3E0000-0x000001536F3F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2596-11-0x000001536CC70000-0x000001536CCB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2596-91-0x000001536F390000-0x000001536F3E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2596-188-0x000001536E9B0000-0x000001536E9D1000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2596-12-0x00007FF9338A3000-0x00007FF9338A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-190-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

        Filesize

        9.9MB

        Download