Overview

overview

10

Static

static

10

primordial...ed.exe

windows7-x64

10

primordial...ed.exe

windows10-2004-x64

10

primordialV2.dll

windows7-x64

1

primordialV2.dll

windows10-2004-x64

1

Resubmissions

17-02-2024 09:50

240217-lt6y5sde4y 10

17-02-2024 09:20

240217-la7rbsdg95 10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    primordial loader cracked.exe

  • Size

    229KB

  • MD5

    aade2822bd0471da2ed5a068a099fb1b

  • SHA1

    39e9fbd333650353aff09f6f0f66a3d1d6dcdd14

  • SHA256

    00201eadd8efe516d68a7b736bd3b66635ad9bd5c7ede630bd2a85edf2d3f97d

  • SHA512

    0dbb3f78c8034330010bc02053b382489243a69a9a2d179f96b34715acf8b805c824e2efbf13ba870e570138a9aecb3e7696167cd9f264bc4bd750dd3da545dc

  • SSDEEP

    6144:7loZM99EBt/SqctonEPfCqArWu/p3cw/3eHp0AVwpJ8e1muf8:ZoZvFSqcwvrWu/p3cw/3eHp0AVCVk

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\primordial loader cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\primordial loader cracked.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1628
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
      PID:1516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1628-14-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-7-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-17-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-16-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-5-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-6-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-15-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-12-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-13-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1628-11-0x0000022D3A220000-0x0000022D3A221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-0-0x000001FA81FF0000-0x000001FA82030000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3628-1-0x00007FF90A2A0000-0x00007FF90AD61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3628-4-0x00007FF90A2A0000-0x00007FF90AD61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3628-2-0x000001FA9C490000-0x000001FA9C4A0000-memory.dmp

      Filesize

      64KB

      Download