Analysis
-
max time kernel
65s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
21-02-2024 23:21
General
-
Target
aimsense.exe
-
Size
148KB
-
MD5
db11d5b13124f9dab72425ce56662a4f
-
SHA1
09b901184f4865437769f0999bd6d9589008c25d
-
SHA256
df43da5e9f003414fb7087d002291d62e509d1f977e1304d647abf8ec241a68f
-
SHA512
71597bd4ae24b1b74904f7a09c0fdac8d082a86e1d0d794f419057bdccf7f3c5dc07f60cc3499aa00cf2b96e181b7f35b33dbf5fa55a755d7e6fc4c766a708f4
-
SSDEEP
3072:3w10kz9kMiNZKVHd64TGyTOdp6KZt+2T4m6DkBcsfdmC:32T9kMiNZ6HgdyTODZ4p0cWd
Score
10/10
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Checks computer location settings 2 TTPs 27 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid10⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"9⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"12⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"13⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid14⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"13⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"14⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"15⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid16⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"16⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid17⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"17⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid18⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"17⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"18⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid19⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"18⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"20⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"20⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"21⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"21⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"22⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid23⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"22⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"23⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid24⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"24⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid25⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"24⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"25⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"25⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"26⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid27⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"26⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"27⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid28⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"27⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"28⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid29⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aimsense.exe"C:\Users\Admin\AppData\Local\Temp\aimsense.exe"28⤵
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\auth.exe"C:\Users\Admin\AppData\Local\Temp\auth.exe"19⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid20⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD54c8fa14eeeeda6fe76a08d14e08bf756
SHA130003b6798090ec74eb477bbed88e086f8552976
SHA2567ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116
-
Filesize
231KB
MD54e62bcc861008fccf8017a90c9d9fa17
SHA1267c87bfcfb65a2be5516874b9edf9a76f46409b
SHA25653681696ea3e42e5dadb92a1d0686a36d024aa7fbad9cadbdc02a97331da5a37
SHA512a1e65c6a255bc9f7c962d8cd9fe03e1a1d4564fc0f38b6df4f6664d28e0010a255ab3d956bc7ad4acad5311b079536b16da3c48d76bff93284e8b36de715555b
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB