Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2025, 19:59

General

  • Target

    void.exe

  • Size

    1.2MB

  • MD5

    b95ebcf2ae71c29e2fab45e455454f66

  • SHA1

    6d2b76cca8a9f9b83652b570fdc56a2b39c1a3da

  • SHA256

    26ab66ebbaebd820ba8be4da58fe5d2403f29c254e6946354e128b4379b09ef6

  • SHA512

    975bb6f3c364a5a77839d26ebb0b954d057b42a3e7dcc02254873025142b791c1522e754b916d6440840449f8b4cc6c8ecc63b3b2d5067f84342ffaa4f8f5550

  • SSDEEP

    24576:qU+9XNrenyktDLdYNtcdvQNC9wHAP5c1gfZRI8seEW0b3cENImHHmSv:U5OVeyff+v

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326189868132470804/0PHWSyQSIa4FHLD7ongsl606LGHkxDinslZqvpEbR2nHgiv9NT-W3uGflUZv7ShrMLLF

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\void.exe
    "C:\Users\Admin\AppData\Local\Temp\void.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\triggerbot.exe
      "C:\Users\Admin\AppData\Local\Temp\triggerbot.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:328
    • C:\Users\Admin\AppData\Local\Temp\Source code.exe
      "C:\Users\Admin\AppData\Local\Temp\Source code.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Source code.exe"
        3⤵
        • Views/modifies file attributes
        PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Source code.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:1648
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2476
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2528
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Source code.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:1704
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Source code.exe

        Filesize

        230KB

        MD5

        1bd8c57a285b16031347d648da8236df

        SHA1

        22d317dbcba46fe01d194f317e1723f8f56ddf03

        SHA256

        3fc0488caefd731de70f92c6fb7bc71ddaa9c95304692357a53681d9878e4fe2

        SHA512

        bcfcc853a09512fc320205e264d365d73313b6269438a278459a65f16ee2bbb27c84f10f1aef42b38211936276a220b29011ef86e8fcccc4d002be55a63382fd

      • C:\Users\Admin\AppData\Local\Temp\triggerbot.exe

        Filesize

        969KB

        MD5

        24f2d1b0276c92bedd06612a34fda910

        SHA1

        f7c414b64d302f272785df5e62076fabdf7d5719

        SHA256

        02294d7cc5012fe8c48886c07d774f1be2606890b4f1e08254995cce42cfa95a

        SHA512

        7789ab39108188ef25ffe12fa76ce5d99cc19353b8e13b05eba5429c84e4a07cd5cd0995f0b08eb485826b665bb17e96320e62ff554469d064428b73f40ef766

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        6dede0525bf9ef1599324641126e6f23

        SHA1

        96c2e4956bf319eff5bc19952b0be49f3df09c96

        SHA256

        6d97d6026a643bddbe3695cdef973877350b56bc34a8cf4423831b191fc6c49d

        SHA512

        b200d777a6a1e09ccdafc8b11d5d6a125d27f6e82550b1d15a3dd068fb1626270d86ee1f4e2c6f37e26391b3ea74d0f83d5a34ac65b0b09950b7b28548c0e0df

      • memory/2100-10-0x0000000000400000-0x0000000000536000-memory.dmp

        Filesize

        1.2MB

      • memory/2192-18-0x000000001B5A0000-0x000000001B882000-memory.dmp

        Filesize

        2.9MB

      • memory/2192-19-0x0000000002970000-0x0000000002978000-memory.dmp

        Filesize

        32KB

      • memory/2384-13-0x0000000001330000-0x0000000001370000-memory.dmp

        Filesize

        256KB

      • memory/2476-54-0x0000000001D20000-0x0000000001D28000-memory.dmp

        Filesize

        32KB

      • memory/2596-25-0x000000001B610000-0x000000001B8F2000-memory.dmp

        Filesize

        2.9MB

      • memory/2596-26-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB