Overview

overview

10

Static

static

3

Yeezus.rar

windows7-x64

3

Yeezus.rar

windows10-2004-x64

10

InjectionLibrary.dll

windows7-x64

1

InjectionLibrary.dll

windows10-2004-x64

1

ReaLTaiizor.dll

windows7-x64

1

ReaLTaiizor.dll

windows10-2004-x64

1

Yeezus.exe

windows7-x64

10

Yeezus.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Yeezus.rar

  • Size

    10.2MB

  • MD5

    89244016652732d4e13623ccbcde05fe

  • SHA1

    bec24f34223b41da38e6b5f1f9a57de6809c7bef

  • SHA256

    7f62f4def03ffd80426a25d462e04497eda6a8848529a1d8d51e7936ce6c1131

  • SHA512

    ce24a5c4734165758813c1ab07662745f8b00adc95aad755728d092099968343bb6dcf6137392732b52cc66bce004deda0a644fb361d1f606411d5d137699d1f

  • SSDEEP

    196608:iVZ5QIEKtiNWVssmoZuSX/RZGmfe390Owlt51J7Vvfnx2Pwk7JGi83sYXjjW:guI1iNEhmLJGOkt57Vx2Pwk7wiFWa

Score
10/10
umbralevasionstealertrojan

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Yeezus.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Yeezus.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1232
  • C:\Users\Admin\Desktop\Yeezus.exe
    "C:\Users\Admin\Desktop\Yeezus.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Users\Admin\AppData\Local\Temp\injector.exe
      "C:\Users\Admin\AppData\Local\Temp\injector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\InjectionLibrary.dll
    Filesize

    78KB

    MD5

    64ef546a5a013f36524507e7dfc70d09

    SHA1

    d6d0aabdc88b7a875fd666a65194e250cd9ef3e5

    SHA256

    7919342e61f58303b1efe7bc3f2a612b717d64069c45eb53f0193218821d0016

    SHA512

    b409aaaf770bf0ca436e66279a324158845cba04ad892bbe98c0e32e96faacf83108d5e5b2b51efb59c8a3fccb4476303af47408f1a26bd79b18008ceaa7cc6b

    Download Submit

  • C:\Users\Admin\Desktop\InjectionLibrary.dll
    Filesize

    17KB

    MD5

    141db3724ef796ef7d564ec65ecec0f6

    SHA1

    3c2ce060860f2bafb89b70199ffc829469099e29

    SHA256

    ca880aa6de3538fa4e4a4c09a2b619b07c01a800e62f2be6f113f94d5b283e6d

    SHA512

    811c46c2683880b1a832f812b8290721412eb32709e2be0673f28c1ec590d25e29fbed83b994fc8b37016792873e97aa9051fdf5df4585dc9f3e44a4afb57215

    Download Submit

  • C:\Users\Admin\Desktop\InjectionLibrary.dll
    Filesize

    31KB

    MD5

    ca70912aa4625cda478eb8f84030b555

    SHA1

    84a19843c63da028fda14346b6257d100bc89181

    SHA256

    e51fda41838f4b3f920c983cd57fdb3f1cc63aadace13eb28e0a8001d8dd2a98

    SHA512

    8e765bd3a37c4b0dbed53db8be676dcaa5105ea25cef734fa313fb8c7d0a9c6c1abe16c5d62eb82f05b0f898c0948fd177b34975fdb6812106694d6a4e6626f6

    Download Submit

  • C:\Users\Admin\Desktop\ReaLTaiizor.dll
    Filesize

    381KB

    MD5

    2b42fe611f665c08c8989d98857afc2c

    SHA1

    fd4f39fe1da97e6b2b40d7ceaf31c2b936635766

    SHA256

    c21d219a9ea38a1458f72b71f1c2261f21f206847163e88366fe7651f7778818

    SHA512

    ef682281e95962248d447d3882e06a6d8ed639b696fb4ea08a486ab6fbc1c2cd0be661b0a25fadf19402176e5fe756a84d67d306e7da9be6cbc558f461ed011b

    Download Submit

  • C:\Users\Admin\Desktop\ReaLTaiizor.dll
    Filesize

    416KB

    MD5

    739cd742305c02f9edbd37c3481503a6

    SHA1

    dee2c2f68d0807aaa8a5c12281649f90e69e2678

    SHA256

    b303617f4aeb128b30a9ca3161880baa91682bb087b2289af9ee7fc26e3c149a

    SHA512

    b4dad4fe962d908f594aab7550970b09df9e6370f99b89d57c2e254f65af8da825b04ac85679cf5067c6719949df4b766da1affb8baebef508cd84fe79abbccf

    Download Submit

  • C:\Users\Admin\Desktop\ReaLTaiizor.dll
    Filesize

    413KB

    MD5

    bbae76bb025b333ccdab2dc7a74c2a44

    SHA1

    578a12457bb6a9ef23f797711729aa071d67ffa7

    SHA256

    58164f9394220c4a78767ead58497e25ca48e818cec6c5c8d7efb813112d8a85

    SHA512

    48598e10415747f3274f3bfd3cf804774b6cc4a0da7d8651e5d96566a095b41dbf16031844d0600a37333ae75be34a278c19a0b05797b10ea2537c6c28a6f20c

    Download Submit

  • C:\Users\Admin\Desktop\Yeezus.exe
    Filesize

    1024KB

    MD5

    ae27377684c8e7ea89b33649ff5a499c

    SHA1

    e5b26d538041fce1d27dd89aaa6440b8e9c402f4

    SHA256

    ed36961cf2afad48e7893cdfad48860cb90e561ac0ffe7e638458dfdb2d4012e

    SHA512

    6e05ef97a6a007522fe98425fefeded3f7d0aff9daeb7e7981278ecf89646a5fae07ed301ea9d6ac512aa1f431462818bccd1fcb1100aeca92d69a7f8454acf2

    Download Submit

  • C:\Users\Admin\Desktop\Yeezus.exe
    Filesize

    305KB

    MD5

    306c16ff9ab8a39c4ea01e2025a488ac

    SHA1

    765c02e098f45a6b6be986095267dcb785e0b791

    SHA256

    82b5f7a2b4e4223d2caceccc59ea82691b2edbf28a412a004d7c663017dc710f

    SHA512

    d186b89e390da7cb1a1771a5a05038399ea5e0ea8b2ecc777aefe4631eb62910fca07b039038b3944596ceb7078288545fa39e19d41d54576f773bd62e6d32c9

    Download Submit

  • memory/1340-89-0x00007FFE85840000-0x00007FFE86301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1340-83-0x00007FFE85840000-0x00007FFE86301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1340-87-0x0000020978DE0000-0x0000020978DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1340-82-0x000002095E760000-0x000002095E7A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2356-24-0x0000000002C40000-0x0000000002C76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2356-45-0x0000000006B00000-0x0000000006B32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2356-70-0x0000000075250000-0x0000000075A00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2356-65-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2356-67-0x0000000007B90000-0x0000000007B98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2356-66-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2356-25-0x0000000075250000-0x0000000075A00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2356-26-0x0000000005830000-0x0000000005E58000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2356-28-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2356-27-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2356-39-0x0000000005FD0000-0x0000000006036000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2356-40-0x0000000006040000-0x00000000060A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2356-41-0x00000000060B0000-0x0000000006404000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2356-29-0x0000000005790000-0x00000000057B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2356-42-0x0000000006550000-0x000000000656E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2356-43-0x0000000006580000-0x00000000065CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2356-64-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2356-46-0x0000000070510000-0x000000007055C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2356-58-0x0000000007730000-0x00000000077D3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2356-57-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2356-56-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2356-60-0x0000000007870000-0x000000000788A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2356-59-0x0000000007EC0000-0x000000000853A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2356-63-0x0000000007A70000-0x0000000007A81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2356-44-0x000000007F8C0000-0x000000007F8D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2356-61-0x00000000078F0000-0x00000000078FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2356-62-0x0000000007AF0000-0x0000000007B86000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3572-10-0x0000000006050000-0x0000000006051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3572-23-0x000000000AAB0000-0x000000000B024000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/3572-86-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-84-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-13-0x0000000006A20000-0x0000000006AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3572-22-0x0000000006D80000-0x0000000006D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3572-11-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-85-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-93-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-17-0x0000000008830000-0x0000000009288000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/3572-12-0x0000000006EE0000-0x0000000007484000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3572-9-0x0000000000A20000-0x0000000001D92000-memory.dmp

    Filesize

    19.4MB

    Download

  • memory/3572-8-0x0000000075250000-0x0000000075A00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3572-90-0x0000000075250000-0x0000000075A00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3572-91-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-92-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-94-0x0000000006560000-0x0000000006570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-21-0x0000000006BC0000-0x0000000006BDC000-memory.dmp

    Filesize

    112KB

    Download