Overview

overview

10

Static

static

3

Z1ON Dot N...or.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    133s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-12-2023 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Z1ON Dot Net Obfuscator.exe

  • Size

    1.9MB

  • MD5

    8ec9b900dbb217f1569c50c14d4adf34

  • SHA1

    d73701be4fc77450549011cc6c19f37feddcf5b4

  • SHA256

    c73691a41f00ef9996d4dc6c045630d279e181bad3637b284f60479e62881c0c

  • SHA512

    4486419c5b338a17e813acbca2a5300ce085e172a588ae93bec3927fada2ad0f763dff34a944370fc350ea48c6ed9752a2da553309fe5cefffb81811eed39f6b

  • SSDEEP

    49152:wZz/tPlg5nvjlIQH6gVTBicEE0ZPnQvEtQo3A:wZTtPaR7d5IRQvQl

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1181926505694105630/CE5sVzq-GthkGDnvcUQZk7Evr9osSekTkqbwPbUukyJDim0j7oTaR65R-5mv1Sfx-3Re

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
    "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
      "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3888
        • C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
          "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
          4⤵
            PID:3856
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:3336
          • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
            "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4824
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              5⤵
                PID:4508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4376
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:3244
          • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
            "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              4⤵
                PID:656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3692
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
            2⤵
            • Creates scheduled task(s)
            PID:3312
          • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
            "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4740
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2384

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
          Filesize

          1KB

          MD5

          53ea0a2251276ba7ae39b07e6116d841

          SHA1

          5f591af152d71b2f04dfc3353a1c96fd4153117d

          SHA256

          3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302

          SHA512

          cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Z1ON Dot Net Obfuscator.exe.log
          Filesize

          654B

          MD5

          16c5fce5f7230eea11598ec11ed42862

          SHA1

          75392d4824706090f5e8907eee1059349c927600

          SHA256

          87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

          SHA512

          153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d3a0eab14343324ab7eb60517edf17a5

          SHA1

          89d65c504abf8065ceecba9b6ce4d28d3f833065

          SHA256

          be915bc0100ff5b0664844c54851136d86209b06a9292191275a28ca9c01c18e

          SHA512

          35e76718359875aacf8cb0cd98d767a7f96d6f38ba545245600065742ba2e1bac2c404e962f3e138717d3baae6e16f728d60f42a8f59004d6307113750a58ce4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          b3d3806092fa8e83b88a3416ee28878d

          SHA1

          2f7f48bfecd8cfd8ec43fc8467b528611ed2fe47

          SHA256

          5800560b3fa157481ff8c803743e5a4763e3105b24b25db93066220fdcddb98d

          SHA512

          74692475f0e5f0b6f3a1474fbc8fe9bb47656114670b47eeff80c38268d7f39cd3ec3284eb326a1f24091be687dc870874d8a406ba7bad9fae5f2048d13df931

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
          Filesize

          211KB

          MD5

          fba76609bd037849d34c8a1fb27c2fa8

          SHA1

          536467b289ea5e70afdff1bffdd2d132419f7336

          SHA256

          6360283c27e88922f159138e661ccc1cd32467cd83a7aa95e9ab6333c693021f

          SHA512

          febc06726e47ad93500e5051c6e38581d693d23326b987912c91f7c714575ea6be0f2a823e3e31435eb5d23457d094c9aded906a24747e7d5f38d8a3c81d2eb4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
          Filesize

          227KB

          MD5

          e55e95e9f14ec4f04735dedc53921773

          SHA1

          39a664bccf3564cc15341e2df671f79efaf599bd

          SHA256

          f90239f26adcd67c9e71b6ceb2989ba1c2d95c23363816c622f377a763f6d462

          SHA512

          939b9368259971de2d3ec6e558cdd22f2ee21e7120ab5293873365e2ffb17b069ee81dae559fc00876764e62576e96fe6ec121c9343b4c840ff8b7a414c26cc6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2e1fxaoo.i1p.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • memory/2816-123-0x000000001B020000-0x000000001B030000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2816-177-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2816-66-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2816-131-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3648-0-0x00000000009F0000-0x0000000000BD4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3648-2-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3648-1-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3648-61-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3692-10-0x0000019372660000-0x0000019372670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3692-52-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3692-50-0x0000019372660000-0x0000019372670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3692-27-0x0000019372660000-0x0000019372670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3692-14-0x0000019372930000-0x00000193729A6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3692-11-0x0000019372880000-0x00000193728A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3692-9-0x0000019372660000-0x0000019372670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3692-6-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3856-124-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3856-179-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3888-128-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3888-175-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3888-172-0x000001F1A4D60000-0x000001F1A4D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3888-149-0x000001F1A4D60000-0x000001F1A4D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3888-133-0x000001F1A4D60000-0x000001F1A4D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3888-132-0x000001F1A4D60000-0x000001F1A4D70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4264-63-0x000000001B790000-0x000000001B7A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4264-3-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4264-120-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4264-71-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4300-121-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4300-122-0x000001DEE7640000-0x000001DEE7650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4300-127-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4376-74-0x000002C418640000-0x000002C418650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-72-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4376-90-0x000002C418640000-0x000002C418650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-73-0x000002C418640000-0x000002C418650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-115-0x000002C418640000-0x000002C418650000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-117-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4740-95-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4740-64-0x000001CF5BAC0000-0x000001CF5BAD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4740-62-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4740-60-0x000001CF41460000-0x000001CF414A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/4824-181-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4824-178-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4824-180-0x000002BAB0E00000-0x000002BAB0E10000-memory.dmp

          Filesize

          64KB

          Download