Overview

overview

10

Static

static

1

Havoc-Executor.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    505s
  • max time network
    462s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-02-2024 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Havoc-Executor.rar

  • Size

    16.8MB

  • MD5

    f92596f16b2227ca7b19b8fcfc146763

  • SHA1

    673eb42df68aec2de4558120785d4b45a7fcbe0f

  • SHA256

    16ab548b51418dc856d375ca306d50fe04ba25df2fb01fdf31057f6fd72f5348

  • SHA512

    668b9ddbdddccf6876ceb6e4294e0b360534ec5bee12881020e9842ee6e19d1f5554c4ca72a0a2335a71c9ab403891c5076c3f9a8ca5140d699eef5a530bee8e

  • SSDEEP

    393216:msqRW0KzrmKC0eNSo38nS1AcYcr2B5u0hKjAXyjbBsK33w4SXjMj:msqLKOKC0eN5sS1Ac1iojAXZFjMj

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1202713966892154880/hKt1959RM0bV5-3CpJAwh821Kr6T7h9g1Q2lLB0g86ovim2izdHbNw9y6LtQFK8C5Zhm

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Havoc-Executor.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Havoc-Executor.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2044
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1484
    • C:\Users\Admin\Desktop\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
      "C:\Users\Admin\Desktop\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:3492
      • C:\Users\Admin\Desktop\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
        "C:\Users\Admin\Desktop\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4588
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /0
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HavocV2.exe.log
        Filesize

        1KB

        MD5

        02df789e3c730b309fc4d9abce5d729b

        SHA1

        4f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e

        SHA256

        4afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321

        SHA512

        7ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587

        Download Submit

      • C:\Users\Admin\Desktop\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
        Filesize

        395KB

        MD5

        bbd057262f45309b69aac1969de8905d

        SHA1

        be351afb488c78f984213d8b8fceb0792c00414a

        SHA256

        d223ace00adcf9996234b0e5f85b14ca273ead2c01672f7abc8469cfeacf1408

        SHA512

        caf0791490f568c2ac5b2242a638a8ff557916d390470b5e04acd6c3bd49a3a69be3ae015a2eb4f10624f8cbd54b99c539011da820ef949ad17b1db88e46b12d

        Download Submit

      • memory/1176-41-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-43-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-47-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-46-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-45-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-44-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-36-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-35-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-37-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1176-42-0x0000020A55350000-0x0000020A55351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2036-26-0x0000020AEF860000-0x0000020AEF8C8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2036-28-0x0000020AF1FD0000-0x0000020AF1FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2036-27-0x00007FFA191C0000-0x00007FFA19C82000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2036-30-0x00007FFA191C0000-0x00007FFA19C82000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2884-34-0x00007FFA18AB0000-0x00007FFA19572000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2884-33-0x00007FFA18AB0000-0x00007FFA19572000-memory.dmp

        Filesize

        10.8MB

        Download