Overview

overview

10

Static

static

10

Star.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    88s
  • platform
    windows10-1703_x64
  • resource
    win10-20240214-en
  • resource tags

    arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-02-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Star.exe

  • Size

    235KB

  • MD5

    89d9c3ae4167a3b9a77a6a3ab0c2059c

  • SHA1

    eed768337a0b4534e667099f4b24476f69d16795

  • SHA256

    cd4ba31d82b9a83f45d5c2a12b91dfce88b70acff2ed894bb1abc617a98fa8bf

  • SHA512

    ca888898ba94230d24caa6c34da28aff00b62af4be33537ed1e228a668cca921e6211cdcc163064df1bee62974f1b028550cd70c99896bee5e4797681db44f2d

  • SSDEEP

    6144:3loZM+9EB1/SqctonEPfCqAiBaJTlOyNLcxDiijSjj8e1mEXC:VoZQdSqcwviBaJTlOyNLcxDiijS/M

Score
10/10
umbralstealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Star.exe
    "C:\Users\Admin\AppData\Local\Temp\Star.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4364
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.0.1328018299\409447937" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1656 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82e654f8-2f03-4f62-9bcd-d1fa214cb41e} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 1780 1fca0cd8858 gpu
          3⤵
            PID:3084
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.1.1321961186\600810702" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7110d747-35f1-4896-9072-c0bafd4d0043} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2136 1fc95be5858 socket
            3⤵
            • Checks processor information in registry
            PID:3148
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.2.1982570792\1171732071" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2592 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd4ec73c-a15f-4420-8416-5509300ad9af} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2724 1fca4c99558 tab
            3⤵
              PID:2500
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.3.1752928975\1606194982" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12029ed3-d1e4-433d-860f-1b12b1a1292d} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 3492 1fc95b62258 tab
              3⤵
                PID:2204
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.4.387521836\130572227" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe081af1-4d70-496d-b740-df59652e7adb} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4176 1fca5d57258 tab
                3⤵
                  PID:2232
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.7.1328057712\1204631090" -childID 6 -isForBrowser -prefsHandle 4764 -prefMapHandle 4756 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {431367d4-8861-45c0-b8dd-af810ba86236} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4796 1fca7118a58 tab
                  3⤵
                    PID:2716
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.6.1220324072\1777529880" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d250c427-071e-4b0d-8ce9-bd6f0b32da02} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4972 1fca6d10f58 tab
                    3⤵
                      PID:1904
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.5.172864299\810878044" -childID 4 -isForBrowser -prefsHandle 4748 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67d40c16-d502-4e4e-97e2-4cbe4f082c64} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4796 1fca52ab458 tab
                      3⤵
                        PID:1636

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yecwvaj4.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    550d95d3120ea50b637ee2ba140b6821

                    SHA1

                    a6da6b5e754c2025350832231db9b0026983397f

                    SHA256

                    c7f67cd827dac6d2ce1346add06a74ec7f47d474d198928b5656bf13d529dce5

                    SHA512

                    d2d74f398b5c5f20a1fbf1ce2c477240b9718d3a055f83a8f76aa1e321ae48939b4a22f31973f9b51e22463e9fa47de689ecfd08e89f0d55158fc9f0524ec3e4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yecwvaj4.default-release\datareporting\glean\pending_pings\4777444f-c504-4c27-9d33-ed81725c09ba
                    Filesize

                    746B

                    MD5

                    9197eb6926fd3c2d49a0c1e896809a46

                    SHA1

                    f4e4716b3e47e9d6c8feab2d8299808609ac35fe

                    SHA256

                    7e47c05a643fef840ec6b5e3eeff91d34d11feb0ea14567a7703fe0e7dcad5c2

                    SHA512

                    7d8920fc8c3b93df15dd28535d6ae63325b26f2e32bc1cbf88dca0ca2bd5b46de2d57c3bec34ba70da20bd72af8985c2a1e6001f31ea8b555b3bcebd4df0503a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yecwvaj4.default-release\datareporting\glean\pending_pings\cff810f2-1538-4f97-89c2-6389de44aeed
                    Filesize

                    10KB

                    MD5

                    149444ced61aa465aa6e849c5e835256

                    SHA1

                    44acea96ca79fc5556e60a897d67becf90b8fe1a

                    SHA256

                    90391d8872ff4622b18b6a1b57440900263ec93b28ff53af47953f106198feff

                    SHA512

                    38c9aca7de918b6b5caa04406643aa9d8bc4cf270621be582651773e9c1f9f774dc6e6ba473b898a12389ac717657f9bab778138d23db7cd9a139aee383d7f12

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yecwvaj4.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    50186862bd836d67da992eac095282b6

                    SHA1

                    56be1858ca7cbabf359423c9ec5d0cf8243dbc65

                    SHA256

                    ef14975b798632e5e482f05e2976c58421691d29eba606e5be3eb759034a8f28

                    SHA512

                    ccaefe2d54571d003937eaad3c515e616399bf61127161ee1f50e7418090f1698b4104ab778764c061788e39d3f7ad6107eade3d405efdad6ede88752ef006dd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yecwvaj4.default-release\sessionstore.jsonlz4
                    Filesize

                    883B

                    MD5

                    be4e06d3ec335b8f85f4eb12e8d8d1c5

                    SHA1

                    491f3a39e314d168ca23fd7b6107a99d463ebee9

                    SHA256

                    ccfd9d6176faa02a043197f379eb2a1b40734ec0c47f97aabeabe3bc5df9220e

                    SHA512

                    20e4c0a369d98bbfbf0be6ea8fd5aeef158fb58464c8a0a96a939d7d90c56dddd5edf2d3ac1836d8cf6f5effeb9851904d4f3aa1928fbc571b018717ddc7e210

                    Download Submit

                  • memory/4268-0-0x0000022389C70000-0x0000022389CB0000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/4268-1-0x00007FFBC9780000-0x00007FFBCA16C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4268-2-0x000002238B830000-0x000002238B840000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4268-4-0x00007FFBC9780000-0x00007FFBCA16C000-memory.dmp

                    Filesize

                    9.9MB

                    Download