Overview

overview

10

Static

static

3

CheatCheck.exe

windows7-x64

10

CheatCheck.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2024 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CheatCheck.exe

  • Size

    1.9MB

  • MD5

    f5180bd1bede58236ddd37276403c888

  • SHA1

    919b6b47635e81a1f0f2637f89902fc9563387cd

  • SHA256

    e00d8a4b001935fb2c6cbedf9300e364ed6bdfd29158e04dbdedb018c4a6878a

  • SHA512

    cebec5ea8762f1aaee9884a46d3cf7d7d138dfc25240f5da1216cdcfdc32d0f5f47b677674837b178735eec2794227c7af7a85352501e8387fa7e06c7d1a6244

  • SSDEEP

    49152:62YU+sjELQXoeysHa6/3pKJz6lRusCofRVg6PJuL68l:62JT5G6/pKocsC6geJuG

Score
10/10
umbralevasionstealer

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1205950589855473715/yMBp6zJGAY_8GNy4KCuGaBheW78ZyPBH6wBshmsyIHWe3bpwN-cogn3qrbzWQQLDF5nC

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheatCheck.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatCheck.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4528-0-0x00000000001F0000-0x00000000006B4000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4528-1-0x00000000773B4000-0x00000000773B6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4528-2-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4528-3-0x00000000001F0000-0x00000000006B4000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4528-4-0x00000000001F0000-0x00000000006B4000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4528-5-0x00000000070F0000-0x0000000007182000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4528-6-0x0000000007740000-0x0000000007CE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4528-10-0x00000000001F0000-0x00000000006B4000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4528-11-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download