Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 00:50

General

  • Target

    66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe

  • Size

    227KB

  • MD5

    87d805618091e568a056c988e2c26cfa

  • SHA1

    aedfd6340df353946e6a6b0be5b0f02c3bc69bd2

  • SHA256

    66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62

  • SHA512

    cace3d172fe91b7a971b5fdd64173fdc7a71ce8ca44b4af89a5ce1db9076e9e36614a3fa98305605f593ebcacc27aa0cb8b076a033f0693a5c7b93d0a98c255a

  • SSDEEP

    6144:+loZM+rIkd8g+EtXHkv/iD4ZCaClZ8e1mU0o2i:ooZtL+EP8wDD0G

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe
    "C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe"
      2⤵
      • Views/modifies file attributes
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:2676
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:3028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:264
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2516
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\66ef2d1d3aabff55217dda6c03b1867a7ca8adaad5fc1b01d6e058651b450d62.exe" && pause
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        0695dfe0fef7e74586ccbd08baba7d61

        SHA1

        451af2e0c9ea7264b4ef548e66b94596067474e6

        SHA256

        4d550cfcfaa8c8c286ef2a5ebd5dee9ecece79d225abb244f3f77990af487dfd

        SHA512

        e784604f92c7adf4364e92523f66dfc70599b69d7b0225b3fa265b60d9d4c5fe5f7ffcd06d011628403113c4650aa73ae1cfa85055be9368977e2a1f9bfa454a

      • memory/264-45-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

      • memory/1944-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

        Filesize

        4KB

      • memory/1944-1-0x0000000000360000-0x00000000003A0000-memory.dmp

        Filesize

        256KB

      • memory/1944-2-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

      • memory/1944-50-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

        Filesize

        9.9MB

      • memory/2968-14-0x000000001B790000-0x000000001BA72000-memory.dmp

        Filesize

        2.9MB

      • memory/2968-15-0x0000000001D90000-0x0000000001D98000-memory.dmp

        Filesize

        32KB

      • memory/2992-7-0x000000001B730000-0x000000001BA12000-memory.dmp

        Filesize

        2.9MB

      • memory/2992-8-0x0000000002310000-0x0000000002318000-memory.dmp

        Filesize

        32KB