Overview

overview

10

Static

static

7

ConsoleApp...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2023 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConsoleApplication1_protected.exe

  • Size

    24.9MB

  • MD5

    c79c2a913c7dac3db3567375a7643cfc

  • SHA1

    fa76240f3722352c6598d3992c95cac12dca53c8

  • SHA256

    35e27fd1445c11bcceede5059823629f428058d70d182dffc4d02ce0a5a5ae41

  • SHA512

    990c0f24ba3a96ec21b16b2ce3f9870b4d8fc70a35f66af14b2ca6619545e276a24e5bbb21545befa9e96283e5be07c6481fac24378c6b8257d23105a718b05a

  • SSDEEP

    393216:ZRM3IIVoIhlU9KTC+DMo1UoLEc6+0A65dcbyReDhWARlH7ptR3VeWc8CZkoU:ZS3VoRVNoIcsR5djeDhpRlH7fRIRrk5

Score
10/10
umbralevasionstealerthemidatrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1170536634891128902/hdNxkvpSxRXfW2ouud2imDE8eFbcAfoi3fBBxpcoRyxI8E-rxHT7NHLuI-Q-ThYq7M3H

Signatures

  • Detect Umbral payload 9 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1_protected.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\System32\Speech\x124HWpAAOxjQbpVb3iT2uY8lC4Hgn0E.exe
      C:\Windows\System32\Speech\x124HWpAAOxjQbpVb3iT2uY8lC4Hgn0E.exe
      2⤵
      • Executes dropped EXE
      PID:1188
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause > nul
      2⤵
        PID:1524
      • C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe
        C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe
        2⤵
        • Executes dropped EXE
        PID:3016
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe"
          3⤵
          • Views/modifies file attributes
          PID:4364
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe'
          3⤵
            PID:2672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            3⤵
              PID:1224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eooyuxbb.14e.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe
          Filesize

          227KB

          MD5

          ef2711e9aeeb23297016ef32b46a3c7e

          SHA1

          ba51f478c1118d7803620367cb97ce2ceba52a5a

          SHA256

          2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759

          SHA512

          3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

          Download Submit

        • C:\Windows\System32\Speech\Fo8hwdjszXcvIt64pmIY5R8iBiGY8cds.exe
          Filesize

          227KB

          MD5

          ef2711e9aeeb23297016ef32b46a3c7e

          SHA1

          ba51f478c1118d7803620367cb97ce2ceba52a5a

          SHA256

          2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759

          SHA512

          3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

          Download Submit

        • C:\Windows\System32\Speech\x124HWpAAOxjQbpVb3iT2uY8lC4Hgn0E.exe
          Filesize

          11KB

          MD5

          cebf7458dceffcbb81a290cf045beb27

          SHA1

          98c74fa610995d61d2ee78a2ea888e003e9f436d

          SHA256

          97d22321ba783bf6d2119320d38d776bbc6bef42fe3dadecf512e23bbdd29660

          SHA512

          144f0da1e8060e08340f1b349f7bbb17be298ee3d27d056d5603143125b8a9d7abb9485d0f5a2a26e2e50f0d5970ecf5fc3a9e665eece70414c6dc1504b04a91

          Download Submit

        • memory/1224-40-0x000002B9A4960000-0x000002B9A4970000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1224-57-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1224-54-0x000002B9A4960000-0x000002B9A4970000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1224-39-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2672-30-0x00000237DC130000-0x00000237DC152000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2672-37-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2672-34-0x00000237DC180000-0x00000237DC190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-32-0x00000237DC180000-0x00000237DC190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-33-0x00000237DC180000-0x00000237DC190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-31-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2828-1-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-53-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-20-0x00007FFBF84F0000-0x00007FFBF86E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2828-5-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-18-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-3-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-2-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-56-0x00007FFBF84F0000-0x00007FFBF86E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2828-0-0x00007FFBF84F0000-0x00007FFBF86E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2828-6-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/2828-4-0x00007FF6DBBA0000-0x00007FF6DFCF4000-memory.dmp

          Filesize

          65.3MB

          Download

        • memory/3016-51-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-16-0x0000017855AD0000-0x0000017855B10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3016-17-0x00007FFBD8DA0000-0x00007FFBD9861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3016-19-0x0000017855F60000-0x0000017855F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3016-60-0x0000017870220000-0x0000017870296000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3016-61-0x00000178702A0000-0x00000178702F0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3016-62-0x00000178578C0000-0x00000178578DE000-memory.dmp

          Filesize

          120KB

          Download