Overview

overview

10

Static

static

10

MemCheckRc7.exe

windows7-x64

10

MemCheckRc7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2023 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MemCheckRc7.exe

  • Size

    227KB

  • MD5

    ce368bd6492ca074696e36eb8faed831

  • SHA1

    c0cc7d66fb33d6582aac9f0c13210268fb8b3942

  • SHA256

    4b088d7a956ee6a1a11987fd7e1205265ad86925e8b5463c8e9b733f6af527e0

  • SHA512

    58d3f38b4a77c20d17dcf2a90cc31772cc3ffed78aa6081e1382c5ad510c3af5e4a18745d04566193566c003e28449589dde5f472bc3e0872a0a3f4588fcd41b

  • SSDEEP

    6144:+loZM+rIkd8g+EtXHkv/iD4mm8UCg/7IQR0STTKuUb8e1m9i:ooZtL+EP8mm8UCg/7IQR0STTKPP

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MemCheckRc7.exe
    "C:\Users\Admin\AppData\Local\Temp\MemCheckRc7.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2516
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ConvertRestart.vbs"
    1⤵
      PID:4276
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ConvertRestart.vbs"
      1⤵
        PID:2432
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2744

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/220-133-0x00000123E1780000-0x00000123E17C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/220-134-0x00007FFE3AA40000-0x00007FFE3B501000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/220-135-0x00000123FBED0000-0x00000123FBEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/220-137-0x00007FFE3AA40000-0x00007FFE3B501000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2744-138-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-139-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-140-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-144-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-145-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-146-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-147-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-148-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-149-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2744-150-0x0000027989270000-0x0000027989271000-memory.dmp

        Filesize

        4KB

        Download