Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 00:50
Behavioral task
behavioral1
Sample
66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe
Resource
win7-20241010-en
General
-
Target
66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe
-
Size
227KB
-
MD5
87d805618091e568a056c988e2c26cfa
-
SHA1
aedfd6340df353946e6a6b0be5b0f02c3bc69bd2
-
SHA256
66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62
-
SHA512
cace3d172fe91b7a971b5fdd64173fdc7a71ce8ca44b4af89a5ce1db9076e9e36614a3fa98305605f593ebcacc27aa0cb8b076a033f0693a5c7b93d0a98c255a
-
SSDEEP
6144:+loZM+rIkd8g+EtXHkv/iD4ZCaClZ8e1mU0o2i:ooZtL+EP8wDD0G
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1944-1-0x0000000000360000-0x00000000003A0000-memory.dmp family_umbral -
Umbral family
-
pid Process 2688 powershell.exe 264 powershell.exe 2968 powershell.exe 2992 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe -
Deletes itself 1 IoCs
pid Process 2784 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2784 cmd.exe 1740 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2516 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 2992 powershell.exe 2968 powershell.exe 2688 powershell.exe 1500 powershell.exe 264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe Token: SeIncreaseQuotaPrivilege 2184 wmic.exe Token: SeSecurityPrivilege 2184 wmic.exe Token: SeTakeOwnershipPrivilege 2184 wmic.exe Token: SeLoadDriverPrivilege 2184 wmic.exe Token: SeSystemProfilePrivilege 2184 wmic.exe Token: SeSystemtimePrivilege 2184 wmic.exe Token: SeProfSingleProcessPrivilege 2184 wmic.exe Token: SeIncBasePriorityPrivilege 2184 wmic.exe Token: SeCreatePagefilePrivilege 2184 wmic.exe Token: SeBackupPrivilege 2184 wmic.exe Token: SeRestorePrivilege 2184 wmic.exe Token: SeShutdownPrivilege 2184 wmic.exe Token: SeDebugPrivilege 2184 wmic.exe Token: SeSystemEnvironmentPrivilege 2184 wmic.exe Token: SeRemoteShutdownPrivilege 2184 wmic.exe Token: SeUndockPrivilege 2184 wmic.exe Token: SeManageVolumePrivilege 2184 wmic.exe Token: 33 2184 wmic.exe Token: 34 2184 wmic.exe Token: 35 2184 wmic.exe Token: SeIncreaseQuotaPrivilege 2184 wmic.exe Token: SeSecurityPrivilege 2184 wmic.exe Token: SeTakeOwnershipPrivilege 2184 wmic.exe Token: SeLoadDriverPrivilege 2184 wmic.exe Token: SeSystemProfilePrivilege 2184 wmic.exe Token: SeSystemtimePrivilege 2184 wmic.exe Token: SeProfSingleProcessPrivilege 2184 wmic.exe Token: SeIncBasePriorityPrivilege 2184 wmic.exe Token: SeCreatePagefilePrivilege 2184 wmic.exe Token: SeBackupPrivilege 2184 wmic.exe Token: SeRestorePrivilege 2184 wmic.exe Token: SeShutdownPrivilege 2184 wmic.exe Token: SeDebugPrivilege 2184 wmic.exe Token: SeSystemEnvironmentPrivilege 2184 wmic.exe Token: SeRemoteShutdownPrivilege 2184 wmic.exe Token: SeUndockPrivilege 2184 wmic.exe Token: SeManageVolumePrivilege 2184 wmic.exe Token: 33 2184 wmic.exe Token: 34 2184 wmic.exe Token: 35 2184 wmic.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeIncreaseQuotaPrivilege 1136 wmic.exe Token: SeSecurityPrivilege 1136 wmic.exe Token: SeTakeOwnershipPrivilege 1136 wmic.exe Token: SeLoadDriverPrivilege 1136 wmic.exe Token: SeSystemProfilePrivilege 1136 wmic.exe Token: SeSystemtimePrivilege 1136 wmic.exe Token: SeProfSingleProcessPrivilege 1136 wmic.exe Token: SeIncBasePriorityPrivilege 1136 wmic.exe Token: SeCreatePagefilePrivilege 1136 wmic.exe Token: SeBackupPrivilege 1136 wmic.exe Token: SeRestorePrivilege 1136 wmic.exe Token: SeShutdownPrivilege 1136 wmic.exe Token: SeDebugPrivilege 1136 wmic.exe Token: SeSystemEnvironmentPrivilege 1136 wmic.exe Token: SeRemoteShutdownPrivilege 1136 wmic.exe Token: SeUndockPrivilege 1136 wmic.exe Token: SeManageVolumePrivilege 1136 wmic.exe Token: 33 1136 wmic.exe Token: 34 1136 wmic.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2184 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 30 PID 1944 wrote to memory of 2184 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 30 PID 1944 wrote to memory of 2184 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 30 PID 1944 wrote to memory of 2816 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 33 PID 1944 wrote to memory of 2816 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 33 PID 1944 wrote to memory of 2816 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 33 PID 1944 wrote to memory of 2992 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 35 PID 1944 wrote to memory of 2992 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 35 PID 1944 wrote to memory of 2992 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 35 PID 1944 wrote to memory of 2968 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 37 PID 1944 wrote to memory of 2968 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 37 PID 1944 wrote to memory of 2968 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 37 PID 1944 wrote to memory of 2688 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 39 PID 1944 wrote to memory of 2688 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 39 PID 1944 wrote to memory of 2688 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 39 PID 1944 wrote to memory of 1500 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 41 PID 1944 wrote to memory of 1500 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 41 PID 1944 wrote to memory of 1500 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 41 PID 1944 wrote to memory of 1136 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 43 PID 1944 wrote to memory of 1136 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 43 PID 1944 wrote to memory of 1136 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 43 PID 1944 wrote to memory of 2676 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 45 PID 1944 wrote to memory of 2676 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 45 PID 1944 wrote to memory of 2676 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 45 PID 1944 wrote to memory of 3028 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 47 PID 1944 wrote to memory of 3028 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 47 PID 1944 wrote to memory of 3028 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 47 PID 1944 wrote to memory of 264 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 49 PID 1944 wrote to memory of 264 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 49 PID 1944 wrote to memory of 264 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 49 PID 1944 wrote to memory of 2516 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 51 PID 1944 wrote to memory of 2516 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 51 PID 1944 wrote to memory of 2516 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 51 PID 1944 wrote to memory of 2784 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 53 PID 1944 wrote to memory of 2784 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 53 PID 1944 wrote to memory of 2784 1944 66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe 53 PID 2784 wrote to memory of 1740 2784 cmd.exe 55 PID 2784 wrote to memory of 1740 2784 cmd.exe 55 PID 2784 wrote to memory of 1740 2784 cmd.exe 55 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2816 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe"C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe"2⤵
- Views/modifies file attributes
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵PID:2676
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:264
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
PID:2516
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe" && pause2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1740
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50695dfe0fef7e74586ccbd08baba7d61
SHA1451af2e0c9ea7264b4ef548e66b94596067474e6
SHA2564d550cfcfaa8c8c286ef2a5ebd5dee9ecece79d225abb244f3f77990af487dfd
SHA512e784604f92c7adf4364e92523f66dfc70599b69d7b0225b3fa265b60d9d4c5fe5f7ffcd06d011628403113c4650aa73ae1cfa85055be9368977e2a1f9bfa454a