Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    45s
  • max time network
    25s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/09/2024, 16:41

General

  • Target

    discord.png.exe

  • Size

    225KB

  • MD5

    44041b93332122228c15d8fd2fdc826d

  • SHA1

    47069ad7151444f7412036952272405000d0e3f9

  • SHA256

    9c71bd0581840574d1ea5919284bbb89e6e19f883bf8ffc4b50c03aea223067e

  • SHA512

    e109c3d7fbd6fc892ae28fe66092dcf5723de577eefb6a363cd571e422b7ce23e54b4f2ba1988b792f7abc8cac83981b1311f16b2a8c7f95081d654c03ce1f7f

  • SSDEEP

    3072:WeEDoF+/dwv+J5evFqmHNNhmqOOR81MK1vHM/2M:WoFzvGeNqcNNs9L1vHM/

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1279958073611653151/sgCCzoTAUY2GdBiQCHyal38EkTL7KHY4qK_JXgYBYU5QznfI7jIvFFaW3IHI9Y8dsDm8

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 58 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\discord.png.exe
    "C:\Users\Admin\AppData\Local\Temp\discord.png.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\discord.exe
      "C:\Users\Admin\AppData\Local\Temp\discord.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4428
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\discord.exe"
        3⤵
        • Views/modifies file attributes
        PID:256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3108
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
          PID:1584
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:3524
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:2192
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3276
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:2304
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\discord.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:468
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3660
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          8592ba100a78835a6b94d5949e13dfc1

          SHA1

          63e901200ab9a57c7dd4c078d7f75dcd3b357020

          SHA256

          fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

          SHA512

          87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          9fd27146f57e9b13f4d16dfe0c66a4c5

          SHA1

          214e2900f8e5176f6a3eade3327f8c160b73f0ff

          SHA256

          ef59b0a80606e7b5efdca1f5eb4d0203f223e4c8183ccb225f0090edeabd744f

          SHA512

          d7d0e80c63f31545ad475f6554328883845bc9019e349527f32ae48cdb9df96db453093544962011fcfd37274b48d0a9afdc5ecb98e8e4142af5de642b764fc9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          b353f933f0657ccbfe7b8fa8312c1907

          SHA1

          79e99d89a16ba75c3ec9c337674202c01c4b9601

          SHA256

          65efc9322bc38e81d1caf63920772dda4ffb47601080ea663a79cc00cd1fcd7a

          SHA512

          efa0199192d9ab88f4548c5b2b4058fffbaf0c3954153473fde91de5fd586eae6747031b7c2e96ed774800d9707dcc119c4ecfaadbc3d2ca051d94bebb61d5a6

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          ba9afe039f00b851008f0e104d69984e

          SHA1

          f8451e0af36c74c144ff69a96d9629bb9a01d793

          SHA256

          ca5a5d604457a5049906b7e4dc7af652f1a2450f0865bcd1f127aacf731f4338

          SHA512

          0836dd8c2834ff74c048060e5f085471641a1d3a12a22a00e84ef1d2d329f30a96998082da040be0e5973c143593b55e4c7702eef60b181402d2547cbe47e025

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          c30d5ded414d1f15b0938f03ded7c51d

          SHA1

          e71191b4f29dabefb32b7d770976e636810d6110

          SHA256

          0c8fe612cb8cfb8fd9d51904f498e06e2cbdb02f963227f8530419d85d6acf37

          SHA512

          2e8a01b3ba2f78d8ee2c90add119b180ae7736f26d46930b6af549c70fc460431fbb6dfd276e1193283fc01cedae61ad913465f99adf18db8a9ee7bbc24c5c58

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npmbwshp.wy1.ps1

          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        • C:\Users\Admin\AppData\Local\Temp\discord.exe

          Filesize

          334KB

          MD5

          d30f272184cafaf82c7170416d4665f9

          SHA1

          2aba82b1ce7a24f1c4c26dddb20c1fb63c3ab700

          SHA256

          4435fc2a11ae17031e1c52a0b8945701ff35d550413cdc20b528d68a0f20dc32

          SHA512

          8d3e11467c74ea04863dd3477878356a359439409b31dd9afc55ae7cd156960797efe0510019f2ac8d73446e60b92deafc56e03b268c1c655bb5469fb374957a

        • memory/1620-16-0x000001F5F3B10000-0x000001F5F3B32000-memory.dmp

          Filesize

          136KB

        • memory/1620-19-0x000001F5F3CC0000-0x000001F5F3D36000-memory.dmp

          Filesize

          472KB

        • memory/1716-10-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/1716-8-0x0000026E67020000-0x0000026E6707A000-memory.dmp

          Filesize

          360KB

        • memory/1716-196-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/1716-89-0x0000026E68D20000-0x0000026E68D70000-memory.dmp

          Filesize

          320KB

        • memory/1716-90-0x0000026E68C80000-0x0000026E68C9E000-memory.dmp

          Filesize

          120KB

        • memory/1716-159-0x0000026E68CF0000-0x0000026E68D02000-memory.dmp

          Filesize

          72KB

        • memory/1716-158-0x0000026E68CA0000-0x0000026E68CAA000-memory.dmp

          Filesize

          40KB

        • memory/1716-11-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/1716-130-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/1716-155-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2980-122-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2980-9-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

          Filesize

          9.9MB

        • memory/2980-1-0x0000000000460000-0x000000000049E000-memory.dmp

          Filesize

          248KB

        • memory/2980-0-0x00007FF8EE9D3000-0x00007FF8EE9D4000-memory.dmp

          Filesize

          4KB