Overview

overview

10

Static

static

1

Havoc-Executor.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2024 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Havoc-Executor.rar

  • Size

    16.8MB

  • MD5

    f92596f16b2227ca7b19b8fcfc146763

  • SHA1

    673eb42df68aec2de4558120785d4b45a7fcbe0f

  • SHA256

    16ab548b51418dc856d375ca306d50fe04ba25df2fb01fdf31057f6fd72f5348

  • SHA512

    668b9ddbdddccf6876ceb6e4294e0b360534ec5bee12881020e9842ee6e19d1f5554c4ca72a0a2335a71c9ab403891c5076c3f9a8ca5140d699eef5a530bee8e

  • SSDEEP

    393216:msqRW0KzrmKC0eNSo38nS1AcYcr2B5u0hKjAXyjbBsK33w4SXjMj:msqLKOKC0eN5sS1Ac1iojAXZFjMj

Score
10/10
umbralstealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1202713966892154880/hKt1959RM0bV5-3CpJAwh821Kr6T7h9g1Q2lLB0g86ovim2izdHbNw9y6LtQFK8C5Zhm

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Havoc-Executor.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Havoc-Executor.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3448
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1732
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\" -spe -an -ai#7zMap1804:108:7zEvent21197
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2184
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Read Before Use.txt
      1⤵
        PID:2060
      • C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
        "C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:808
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:888
      • C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
        "C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HavocV2.exe.log
        Filesize

        1KB

        MD5

        8094b248fe3231e48995c2be32aeb08c

        SHA1

        2fe06e000ebec919bf982d033c5d1219c1f916b6

        SHA256

        136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

        SHA512

        bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Havoc-Executor\HavocV2.exe
        Filesize

        395KB

        MD5

        bbd057262f45309b69aac1969de8905d

        SHA1

        be351afb488c78f984213d8b8fceb0792c00414a

        SHA256

        d223ace00adcf9996234b0e5f85b14ca273ead2c01672f7abc8469cfeacf1408

        SHA512

        caf0791490f568c2ac5b2242a638a8ff557916d390470b5e04acd6c3bd49a3a69be3ae015a2eb4f10624f8cbd54b99c539011da820ef949ad17b1db88e46b12d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Havoc-Executor\Havoc-Executor-V2\Havoc-Executor\Havoc-Executor\Havoc-Executor\Read Before Use.txt
        Filesize

        143B

        MD5

        debdb28ccd7c400149c7d35c03f31a92

        SHA1

        cb2cbc7c1e1c7d9884d53c61b4704b14d185a237

        SHA256

        2b07fc5bdef73b169d8038a11f39912e74e78cfa81b6f69716a0f492b8925ab8

        SHA512

        b9b553672f6490b0cc1ffe39092d60810d21044686769ddf70ca9bbd6c52e4f4539acf22d9b85218284e0588ed2ac5baac82a5b93cf4f84296c1ff3b1f68591e

        Download Submit

      • memory/468-27-0x000002827EE70000-0x000002827EED8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/468-28-0x00007FFE4DC90000-0x00007FFE4E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/468-29-0x0000028219610000-0x0000028219620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/468-31-0x00007FFE4DC90000-0x00007FFE4E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/700-49-0x00007FFE4DC90000-0x00007FFE4E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/700-48-0x000002AC01B90000-0x000002AC01BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/700-47-0x00007FFE4DC90000-0x00007FFE4E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/888-38-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-40-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-43-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-42-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-41-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-44-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-39-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-32-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-33-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/888-34-0x000001A185C20000-0x000001A185C21000-memory.dmp

        Filesize

        4KB

        Download