umbral | hxxps://anonymfile[.]com/oaNb/vantafn[.]rar

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonymfile.com/oaNb/vantafn.rar

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000000070d-170.dat	family_umbral
behavioral1/memory/1964-178-0x000001D0435D0000-0x000001D043610000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 3 IoCs

pid	Process
1964	Vanta Loader.exe
3224	Vanta Loader.exe
5172	Vanta Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3836	msedge.exe
3836	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
5780	msedge.exe
5780	msedge.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6024	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	6024	7zFM.exe
Token: 35	6024	7zFM.exe
Token: SeSecurityPrivilege	6024	7zFM.exe
Token: SeDebugPrivilege	1964	Vanta Loader.exe
Token: SeIncreaseQuotaPrivilege	5232	wmic.exe
Token: SeSecurityPrivilege	5232	wmic.exe
Token: SeTakeOwnershipPrivilege	5232	wmic.exe
Token: SeLoadDriverPrivilege	5232	wmic.exe
Token: SeSystemProfilePrivilege	5232	wmic.exe
Token: SeSystemtimePrivilege	5232	wmic.exe
Token: SeProfSingleProcessPrivilege	5232	wmic.exe
Token: SeIncBasePriorityPrivilege	5232	wmic.exe
Token: SeCreatePagefilePrivilege	5232	wmic.exe
Token: SeBackupPrivilege	5232	wmic.exe
Token: SeRestorePrivilege	5232	wmic.exe
Token: SeShutdownPrivilege	5232	wmic.exe
Token: SeDebugPrivilege	5232	wmic.exe
Token: SeSystemEnvironmentPrivilege	5232	wmic.exe
Token: SeRemoteShutdownPrivilege	5232	wmic.exe
Token: SeUndockPrivilege	5232	wmic.exe
Token: SeManageVolumePrivilege	5232	wmic.exe
Token: 33	5232	wmic.exe
Token: 34	5232	wmic.exe
Token: 35	5232	wmic.exe
Token: 36	5232	wmic.exe
Token: SeIncreaseQuotaPrivilege	5232	wmic.exe
Token: SeSecurityPrivilege	5232	wmic.exe
Token: SeTakeOwnershipPrivilege	5232	wmic.exe
Token: SeLoadDriverPrivilege	5232	wmic.exe
Token: SeSystemProfilePrivilege	5232	wmic.exe
Token: SeSystemtimePrivilege	5232	wmic.exe
Token: SeProfSingleProcessPrivilege	5232	wmic.exe
Token: SeIncBasePriorityPrivilege	5232	wmic.exe
Token: SeCreatePagefilePrivilege	5232	wmic.exe
Token: SeBackupPrivilege	5232	wmic.exe
Token: SeRestorePrivilege	5232	wmic.exe
Token: SeShutdownPrivilege	5232	wmic.exe
Token: SeDebugPrivilege	5232	wmic.exe
Token: SeSystemEnvironmentPrivilege	5232	wmic.exe
Token: SeRemoteShutdownPrivilege	5232	wmic.exe
Token: SeUndockPrivilege	5232	wmic.exe
Token: SeManageVolumePrivilege	5232	wmic.exe
Token: 33	5232	wmic.exe
Token: 34	5232	wmic.exe
Token: 35	5232	wmic.exe
Token: 36	5232	wmic.exe
Token: SeSecurityPrivilege	6024	7zFM.exe
Token: SeDebugPrivilege	3224	Vanta Loader.exe
Token: SeIncreaseQuotaPrivilege	208	wmic.exe
Token: SeSecurityPrivilege	208	wmic.exe
Token: SeTakeOwnershipPrivilege	208	wmic.exe
Token: SeLoadDriverPrivilege	208	wmic.exe
Token: SeSystemProfilePrivilege	208	wmic.exe
Token: SeSystemtimePrivilege	208	wmic.exe
Token: SeProfSingleProcessPrivilege	208	wmic.exe
Token: SeIncBasePriorityPrivilege	208	wmic.exe
Token: SeCreatePagefilePrivilege	208	wmic.exe
Token: SeBackupPrivilege	208	wmic.exe
Token: SeRestorePrivilege	208	wmic.exe
Token: SeShutdownPrivilege	208	wmic.exe
Token: SeDebugPrivilege	208	wmic.exe
Token: SeSystemEnvironmentPrivilege	208	wmic.exe
Token: SeRemoteShutdownPrivilege	208	wmic.exe
Token: SeUndockPrivilege	208	wmic.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe
6024	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 1440	3836	msedge.exe	80
PID 3836 wrote to memory of 1440	3836	msedge.exe	80
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 2028	3836	msedge.exe	87
PID 3836 wrote to memory of 3192	3836	msedge.exe	86
PID 3836 wrote to memory of 3192	3836	msedge.exe	86
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88
PID 3836 wrote to memory of 4128	3836	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2f4c46f8,0x7ffd2f4c4708,0x7ffd2f4c4718
1⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://anonymfile.com/oaNb/vantafn.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1300 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\VantaFN.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\7zO887AD078\Vanta Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO887AD078\Vanta Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5232
- - C:\Users\Admin\AppData\Local\Temp\7zO88735F28\Vanta Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO88735F28\Vanta Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:208
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO887F7928\Instructions (2).txt
    3⤵
    PID:5636
- - C:\Users\Admin\AppData\Local\Temp\7zO88747EC8\Vanta Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO88747EC8\Vanta Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:5172
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15822739246916095383,1641701027211145261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x338
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vanta Loader.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\03306565-4939-4d13-a88f-4c2fcf7dbd90.tmp

Filesize
12KB

MD5
884e9411c0f5350272fb0657f1d73aa4

SHA1
2c44b55e0b5f708b9cfe439077ecfb4b2777cf17

SHA256
7d81f5ff98055e90026d17169340ded7dffb4e627498dedd0bebdabdeafb0021

SHA512
aad7b73e32e4bc137be857db19f44e2145ccf465b40341e21bdd374fe259d0641b61dd0c609a6c4e574f1ddcff97899813e0ce45d11fc527d68b54b5401029f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
529122e68fa2372f7a8a00b69cdae1fc

SHA1
46e6471dd50354d2c2f202c5ac3edba9d32ecd02

SHA256
d5d33dd6be9a289f9284e5d9ad43554943d9da8501d22d52f9f74e8f9ed790a1

SHA512
45d0dc92eb90083728b849d6bad419daba3828221f9bb1e1f94d8eaebedeeedebc600b11f48e7eced3ee1d4120a7cc1d6f88244fe1cad6715c48e9398e1f8b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
374e56dc4c4816bf3c6fc3df6d2bc329

SHA1
c75f62f7c79d0c0eda664f35f3b159dd242c652e

SHA256
09f9e51a3e5a1f2917cb8b17ad4111a44c56812186b1ed29424b1e4b56967e66

SHA512
3c174b8b195886dee71275cdff7d16fa3ee986d5f252763ac15829c88d6a32aa5cae01c9cd5be41cda85e6a783cc12c2f5ade48067879aed1a55a32b7bfad4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43eed198297f7fcb9aabb41c7ad7bfea

SHA1
cd0fb433c342910576f05a36e8f1321af12e98e5

SHA256
b03963e0637e64022365b8880513d1341e564880c3c049412ac6b4cc6dc9bfeb

SHA512
16562108df97c22ff935d71b268037fc97ecaad51d05abb58b68033e730db7b9c67829257be5d207540c544a57f9c2350fd8640f493b75c3408c27976ef01400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1884f34324274663ec95cbbea7be0c0

SHA1
29389deadc10d7e32f358c48a984245e4815e764

SHA256
b6e41213add21fc653faedf5c477b9b3849ec25a8c9d453ef4b4eaf872b42e24

SHA512
53845c8dde80e37675494ae694c56623b805b123d19d999739d5cc8434c017be89728253ec07c043608f34654dd983dccf15b70fbd7d598e44b6940819f3ea19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8aed078d434e6d230af4148007588bc

SHA1
602baeeba538b201dbfb375321461f2e959b778c

SHA256
c27287968c6d6b6f4c6107faa726a593fac019cb8099d479546809f05fba22f3

SHA512
40a8ef645b5b5be715f55217b7c5b6af97a517366699bc3bd7b4cc39e3e042ca9f030421245be818bb525f0601b7734242e60c30f110a97954cf4d710f31a4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a34565ad127609336656add8f7034560

SHA1
f8c558f36abdfdee4bf1ad5e5353425ee65bf4b7

SHA256
186f486ac605fdf64085f8b71119a2ed3747589b6a729504a67f10ee3eeee663

SHA512
83c18ee36a15be310bf0bf231d94923c9f08749ffa5f4c46289aa525c01e27d6512d91b4c9ebe56d8e92845aa4ada9e74856f66300b05a232c3b821504305ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aae91be5486c5859acb6fbdf465d5caf

SHA1
a67a6ff4f0371b8d62330fc29d9552d8503721e1

SHA256
d47b8a107ff147c260aac116d7746eb41674a97876d6224ad33418129e76dc52

SHA512
3f572681fc9ebfe49ce639481276cd01db501d0a394402cf324ab037cd7c7d6575a5be5e4dec8d81ae85fb609d542929108eff56d603c84fd1e4f6595876b788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
546a99e3811068b0ff52827ece6a8099

SHA1
314a5614e9b33006b8aa8d60b46212d087389aea

SHA256
2c1ed7faf6a3dae351cf16b0682e44061476f4f11b048386b51787ebbce49fb8

SHA512
35504a8a65f9ea43dfa638c615ae25e93e34632f7b02ead676fe430b55ad5e4ec02c803557204545ccc57bfe7c7f778615713c5d38cf5fddc09f65ffc2569b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO887AD078\Vanta Loader.exe

Filesize
235KB

MD5
06f414de1c38f844b4ae985f5fd3aa11

SHA1
6797c073799e79ea5050f01df13bbb2e66c58e20

SHA256
5c50a7c26a0e55d965160f21cbb75e9b18466f7cc09124fb8fb29c3a0f645eef

SHA512
1670c45e8b72634b3096be520fd8d1f6a7eab9c747c1942d8ece0d060ea8c19b001dd71797c3fa89c47c3ce024b0c21a3cca42f63f1bf06078dec26c143592ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO887F7928\Instructions (2).txt

Filesize
161B

MD5
dff50f1c13911c431ff1c97a19493756

SHA1
5dde407520ed49726a8a674365635f041648f638

SHA256
12d6f150cdc32ff5293a062b0d84e91f41897d934276776c14bd8c2206a922da

SHA512
f6801be80fa914e5e9001e800e1c4b0a6edda75e2c3a43956efa4f1124e7d0fcba25c81abf9b8c41b72f36244d592960a9c22135be1a484da8ccaaec57f956f3

Download Submit
C:\Users\Admin\Downloads\VantaFN.rar

Filesize
82KB

MD5
97af3297c52f5c141404f97dc6fadd53

SHA1
a8cf648eb174e1658003899555a293ad298fba8f

SHA256
3745ac0e8371cacb43e8c85289d6b916bd2dccddb47ffaedaeaa2410c8c85f74

SHA512
4f7f45ad2b3dc8150338ea1ef894f543c19fea67d9a4b627a53266d3b2a19f4de8b41505933b6e09a39033d1bb57c1696b4bf8a6eaba5bdde0522fd0ac3926b7

Download Submit
memory/1964-180-0x000001D05DB60000-0x000001D05DB70000-memory.dmp

Filesize
64KB

Download
memory/1964-182-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download
memory/1964-179-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download
memory/1964-178-0x000001D0435D0000-0x000001D043610000-memory.dmp

Filesize
256KB

Download
memory/3224-219-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download
memory/3224-220-0x000001671EAE0000-0x000001671EAF0000-memory.dmp

Filesize
64KB

Download
memory/3224-221-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download
memory/5172-247-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download
memory/5172-248-0x00007FFD1C580000-0x00007FFD1D041000-memory.dmp

Filesize
10.8MB

Download