Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
21/02/2024, 23:17
General
-
Target
Havoc-ExecutorV2_.rar
-
Size
16.8MB
-
MD5
9ff3dea2bad4a76bc65e98acf1234f0a
-
SHA1
49754b9f66989694c66a5a50f33426ffdb2cc3f5
-
SHA256
b02f3ef73077f0c54cff0e1d920e2013ea549c97daede6cae61c966d556fff9e
-
SHA512
94716419b6a60f2b0b2d454215d1f6bb827f88d8d412115837ed35b9135ff73abd1c3995710c4f52d2bb92db07b94803fee5857041a534d077e0c73bcf49415e
-
SSDEEP
393216:5C/zS+kIvNug+zU+29zreM2M4ZFKV0o24pGO23dVC8:Y/3kIluV7QvF8ZW0o2FtL
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1202713966892154880/hKt1959RM0bV5-3CpJAwh821Kr6T7h9g1Q2lLB0g86ovim2izdHbNw9y6LtQFK8C5Zhm
Signatures
-
Detect Umbral payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Havoc-ExecutorV2_.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Havoc-ExecutorV2_.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"C:\Users\Admin\Desktop\Havoc-Executor (1)\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD56867bdcccea54ee53c6a50c31b512bd1
SHA15d0e8e73b38eb1d5cfcb158dac68a121466d6719
SHA25633da805f17a081bcddedae6be9cc2427d0a9b786cd62c1e44440893c02e04bb8
SHA5126740a2333e8aadbc02f4d63e466ef6f02f4b914bbe3abea9aeeb31d5c10774cc7a2a86e2d4ecc714cf899dd10656114da569a537c5a49ba7f591766f7a60e90c
-
Filesize
416KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB