Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/09/2024, 15:34

Errors

Reason
Machine shutdown

General

  • Target

    Rust AntiCheat.exe

  • Size

    1.1MB

  • MD5

    9b044bfee63da32d66539cd56741e2d7

  • SHA1

    22b313baac54ea88cb581347d7226073033cb64c

  • SHA256

    3acef42e6894019c44addea96a3ef2048b7b0f902b805c2e8d093db549091297

  • SHA512

    f0cf4ef7516a7227a92ad9e098661f2683e07418cce2473851eaa6deb3c1db4859d9ce50f1615288e28c668b69fefb9ba1c2069dc2fe84c54a97616cf7ba7876

  • SSDEEP

    24576:7cM0t9RyT52bxGzz9qshXGFh9jvTXZbX5y4h1ptssmnt:ArRyT529KXgh9btbXJbGsmt

Malware Config

Extracted

Family

umbral

C2

https://ptb.discord.com/api/webhooks/1271826116721639445/0LTa3NkwRKKJuRNql7cAkLRG6HVFF6qerOeff_MVz-9g28SPb06nhaG45QDZdp1IGvu2

Extracted

Family

xworm

C2

expected-schema.gl.at.ply.gg:2980

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Rust AntiCheat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Loader (1).exe
      "C:\Users\Admin\AppData\Local\Loader (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2920
    • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3396
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Local\RuntimeBroker"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5064
      • C:\Windows\SYSTEM32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
          PID:484
      • C:\Users\Admin\AppData\Local\Umbral.exe
        "C:\Users\Admin\AppData\Local\Umbral.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
          3⤵
          • Views/modifies file attributes
          PID:2524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3332
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:1028
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:4612
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4608
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:5024
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:428
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3a2d855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:2644

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Loader (1).exe

          Filesize

          827KB

          MD5

          eefb801774c5ccb44153268a9357f5f1

          SHA1

          b1906b22e14edd142c52808ab3e5ba9346b85de5

          SHA256

          677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

          SHA512

          1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          0ac871344dc49ae49f13f0f88acb4868

          SHA1

          5a073862375c7e79255bb0eab32c635b57a77f98

          SHA256

          688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

          SHA512

          ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          991e8f3bdc04acca98024f7311752070

          SHA1

          76005ee90a2772414bc7231d6192a942dde9d499

          SHA256

          788799ff1be9e0abccbadc1d574ed7f36e7bc6833d942b5c177ed4e50c6dae44

          SHA512

          b7ecfcc910ecf00694e1b65ff4aa34caeb8f05db2aa10ca032885d1262efe74dee874abaa1399297144259f3ce2a7e48301c79477c51c5369c5911742c4fc326

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          c2bc937bb6b899217f6922c3a5dda964

          SHA1

          70831071e72e3edc48c886e0b1652555fb546459

          SHA256

          d3c31cc22b41f39f68893a11523f30ad007944c41ab46717b04111bc000a1c1c

          SHA512

          ff1d23e33d10ec9517388ae6daf1715d958bddd8b1b4deaff7f5fd2e502ab8934d460479074ce6f264477d0a4357398b47b1a983bbafdf024011ab2c4425a678

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          781da0576417bf414dc558e5a315e2be

          SHA1

          215451c1e370be595f1c389f587efeaa93108b4c

          SHA256

          41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

          SHA512

          24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          64B

          MD5

          7f81c3ba861f1a722421cc95d105fecd

          SHA1

          1e6e9a67f190deb407c6fdbd224ce90b833490e0

          SHA256

          cebaa9795b2039a5784a0edcbf89cb298259a34c5aa7f89ba31344203ea37a81

          SHA512

          1d44780b537d2797aaa636d913e2fb5dc00484d3bf9cbf42a67c7cd7988ff756326e9725b832df85c0c2fb1bc7c25f1ffa66e9b3ae5127868f38a88546a7555d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

          SHA1

          9910190edfaccece1dfcc1d92e357772f5dae8f7

          SHA256

          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

          SHA512

          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          948B

          MD5

          fa21dd50b4e64421076f843031c8ccf7

          SHA1

          2c56e94f130c0d8d77116e939ffee4e37cf982bd

          SHA256

          e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

          SHA512

          b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

        • C:\Users\Admin\AppData\Local\RuntimeBroker.exe

          Filesize

          90KB

          MD5

          79fef04d806d7916fa1bf6d30358d4de

          SHA1

          2afb944edcf58c6594c734fbe0c8416b6bc1f447

          SHA256

          76f2d446e7fc3631f352180c201de9eb139d1acf3daf5dd63fe69502fa253bf1

          SHA512

          897021db19492ed9cf5ae3d68d840af1f68cf8836b1e5935485e42e569ecf8c95c85fe50b9e25ab13275209ed112906d06ef03a83502a0fa5904e60d3c3dad1e

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlzgnw45.yfz.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Umbral.exe

          Filesize

          231KB

          MD5

          2986f5be729cdf63ccb15a204a46d31b

          SHA1

          a7a733787f7aa226153d4ff693349cd88fc4a96f

          SHA256

          9242c3d80edfd477acaac2f7037d8fe77395b31c0c923cd65309df09ce2c8403

          SHA512

          edbb2cb4731d59e92ccf781d25569efa1a9ecd1df116860673898606d5e208e6c39fd8ab2066c902c542bdd61acc6c204eabad30a0d3f1ead82973005cc037f5

        • memory/2264-104-0x000002ABAF710000-0x000002ABAF71A000-memory.dmp

          Filesize

          40KB

        • memory/2264-36-0x000002ABAD7B0000-0x000002ABAD7F0000-memory.dmp

          Filesize

          256KB

        • memory/2264-167-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/2264-163-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/2264-68-0x000002ABC7FE0000-0x000002ABC8056000-memory.dmp

          Filesize

          472KB

        • memory/2264-69-0x000002ABC7F60000-0x000002ABC7FB0000-memory.dmp

          Filesize

          320KB

        • memory/2264-70-0x000002ABAF6D0000-0x000002ABAF6EE000-memory.dmp

          Filesize

          120KB

        • memory/2264-40-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/2264-105-0x000002ABC7FB0000-0x000002ABC7FC2000-memory.dmp

          Filesize

          72KB

        • memory/2920-39-0x0000000000800000-0x00000000008D6000-memory.dmp

          Filesize

          856KB

        • memory/2920-43-0x00000000086F0000-0x00000000086FE000-memory.dmp

          Filesize

          56KB

        • memory/2920-42-0x0000000008730000-0x0000000008768000-memory.dmp

          Filesize

          224KB

        • memory/3332-49-0x000001D906460000-0x000001D906482000-memory.dmp

          Filesize

          136KB

        • memory/3672-38-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/3672-37-0x0000000000D50000-0x0000000000D6C000-memory.dmp

          Filesize

          112KB

        • memory/3672-162-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/3672-168-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

          Filesize

          10.8MB

        • memory/4500-0-0x00007FFDC8A73000-0x00007FFDC8A75000-memory.dmp

          Filesize

          8KB

        • memory/4500-1-0x0000000000EF0000-0x0000000001018000-memory.dmp

          Filesize

          1.2MB