Overview

overview

10

Static

static

1

Havoc-ExecutorV2_.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/02/2024, 23:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Havoc-ExecutorV2_.rar

  • Size

    16.8MB

  • MD5

    9ff3dea2bad4a76bc65e98acf1234f0a

  • SHA1

    49754b9f66989694c66a5a50f33426ffdb2cc3f5

  • SHA256

    b02f3ef73077f0c54cff0e1d920e2013ea549c97daede6cae61c966d556fff9e

  • SHA512

    94716419b6a60f2b0b2d454215d1f6bb827f88d8d412115837ed35b9135ff73abd1c3995710c4f52d2bb92db07b94803fee5857041a534d077e0c73bcf49415e

  • SSDEEP

    393216:5C/zS+kIvNug+zU+29zreM2M4ZFKV0o24pGO23dVC8:Y/3kIluV7QvF8ZW0o2FtL

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1202713966892154880/hKt1959RM0bV5-3CpJAwh821Kr6T7h9g1Q2lLB0g86ovim2izdHbNw9y6LtQFK8C5Zhm

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Havoc-ExecutorV2_.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Havoc-ExecutorV2_.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2000
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1032
    • C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
      "C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
    • C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
      "C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3256

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HavocV2.exe.log
            Filesize

            1KB

            MD5

            02df789e3c730b309fc4d9abce5d729b

            SHA1

            4f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e

            SHA256

            4afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321

            SHA512

            7ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587

            Download Submit

          • C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
            Filesize

            394KB

            MD5

            6867bdcccea54ee53c6a50c31b512bd1

            SHA1

            5d0e8e73b38eb1d5cfcb158dac68a121466d6719

            SHA256

            33da805f17a081bcddedae6be9cc2427d0a9b786cd62c1e44440893c02e04bb8

            SHA512

            6740a2333e8aadbc02f4d63e466ef6f02f4b914bbe3abea9aeeb31d5c10774cc7a2a86e2d4ecc714cf899dd10656114da569a537c5a49ba7f591766f7a60e90c

            Download Submit

          • memory/1132-33-0x00007FF873CB0000-0x00007FF874772000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1132-34-0x0000020110060000-0x0000020110070000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1132-35-0x00007FF873CB0000-0x00007FF874772000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4036-26-0x000001D3A0340000-0x000001D3A03A8000-memory.dmp

            Filesize

            416KB

            Download

          • memory/4036-27-0x00007FF873CB0000-0x00007FF874772000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4036-28-0x000001D3A1FD0000-0x000001D3A1FE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4036-30-0x00007FF873CB0000-0x00007FF874772000-memory.dmp

            Filesize

            10.8MB

            Download